mirror of
https://github.com/goauthentik/authentik.git
synced 2026-06-18 03:19:51 +03:00
Teffen Ellis
72eb609f62
Replace `npm install -g netlify-cli` with `npx --yes --package=netlify-cli@26` in the source-docs publish workflow. Two reasons: 1. A `-g` install bypasses the repo `.npmrc` (npm only walks up from the cwd of the install, not from the global prefix), so `ignore-scripts=true` and `save-exact=true` do not apply — install scripts run and a fresh `latest` is resolved on every CI run. `npx` invoked inside the repo honors the project `.npmrc`. 2. Without a version pin, every run pulls whatever `latest` happens to be at that moment, which is exactly the resolution behavior that the recent npm "Mini Shai-Hulud" incident weaponized. Pinning to `@26` bounds the major and lets Dependabot manage upgrades through the same cooldown window as everything else. Co-authored-by: Agent <279763771+playpen-agent@users.noreply.github.com>
35 lines
1012 B
YAML
35 lines
1012 B
YAML
---
|
|
name: CI - Source code docs
|
|
|
|
on:
|
|
push:
|
|
branches:
|
|
- main
|
|
|
|
env:
|
|
POSTGRES_DB: authentik
|
|
POSTGRES_USER: authentik
|
|
POSTGRES_PASSWORD: "EK-5jnKfjrGRm<77"
|
|
|
|
jobs:
|
|
publish-source-docs:
|
|
runs-on: ubuntu-latest
|
|
timeout-minutes: 120
|
|
steps:
|
|
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
|
|
- name: Setup authentik env
|
|
uses: ./.github/actions/setup
|
|
- name: generate docs
|
|
run: |
|
|
uv run make migrate
|
|
uv run ak build_source_docs
|
|
- name: Publish
|
|
env:
|
|
NETLIFY_SITE_ID: eb246b7b-1d83-4f69-89f7-01a936b4ca59
|
|
NETLIFY_AUTH_TOKEN: ${{ secrets.NETLIFY_AUTH_TOKEN }}
|
|
# Pinned netlify-cli major. A global `npm install -g` ignores the
|
|
# repo .npmrc and runs lifecycle scripts; `npx --package` honors
|
|
# the .npmrc (which sets ignore-scripts=true) and pins the version.
|
|
run: |
|
|
npx --yes --package=netlify-cli@26 -- netlify deploy --dir=source_docs --prod
|