Skip to content

Remove vale linting from deploy workflow for security#36

Merged
reakaleek merged 2 commits intomainfrom
respected-huckleberry
Mar 26, 2026
Merged

Remove vale linting from deploy workflow for security#36
reakaleek merged 2 commits intomainfrom
respected-huckleberry

Conversation

@reakaleek
Copy link
Copy Markdown
Member

@reakaleek reakaleek commented Mar 26, 2026
edited
Loading

Summary

  • Removes checkout, changed-files resolution, and vale lint execution from the vale-report job in docs-deploy.yml — these ran fork code in a workflow with elevated permissions (pull-requests: write, id-token, deployments)
  • The vale-report job now only runs elastic/vale-rules/report@main, which downloads the vale-results artifact produced by docs-build.yml and posts a PR comment
  • Tightens permissions (contents: readcontents: none) and removes the unused include-paths input

Test plan

  • Verify a PR with enable-vale-linting: true still gets a vale report comment (artifact flows from build → deploy)
  • Verify the vale-results artifact is uploaded by the docs-build.yml vale job (default behavior of elastic/vale-rules/lint)
  • Confirm the deploy workflow no longer checks out fork code in the vale-report job

🤖 Generated with Claude Code

@reakaleek @claude
Remove vale linting from deploy workflow for security
1a9a947 
The vale-report job in docs-deploy.yml checked out and linted fork code
in a workflow with elevated permissions (pull-requests: write, id-token,
deployments). This is a security risk — the lint step should only run in
the unprivileged docs-build.yml workflow.

The report action already downloads the vale-results artifact from the
build workflow run internally, so the deploy workflow only needs to post
the comment.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@reakaleek reakaleek force-pushed the respected-huckleberry branch from bde5548 to 1a9a947 Compare March 26, 2026 12:06
@reakaleek @claude
Add actions: read permission to vale-report job
3847eaa 
The report action uses dawidd6/action-download-artifact to download the
vale-results artifact from the triggering workflow run, which requires
the actions: read permission to call the workflow runs API.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@reakaleek reakaleek requested a review from Mpdreamz March 26, 2026 12:35
@reakaleek
Copy link
Copy Markdown
Member Author

reakaleek commented Mar 26, 2026

tested in https://github.com/elastic/docs-eng-playground/pull/61#issuecomment-4134340293

@reakaleek reakaleek added the fix label Mar 26, 2026
@reakaleek reakaleek merged commit d6e9751 into main Mar 26, 2026
2 of 3 checks passed
@reakaleek reakaleek deleted the respected-huckleberry branch March 26, 2026 12:41
@Mpdreamz Mpdreamz mentioned this pull request Mar 26, 2026
Merged
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Mpdreamz Mpdreamz Mpdreamz approved these changes

Assignees

No one assigned

Labels

fix

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@reakaleek @Mpdreamz