From cbc8e376d7366ef817126d8d976556a8ed8464b7 Mon Sep 17 00:00:00 2001 From: Abel Date: Thu, 5 Feb 2026 23:07:41 -0800 Subject: [PATCH 01/11] Add GitHub Actions Acceptable Use Violation Guide This document outlines acceptable use policies and common violations for GitHub Actions workflows, including disallowed use cases, content restrictions, and security concerns. --- GITHUB_ACTIONS_ACCEPTABLE_USE.md | 140 +++++++++++++++++++++++++++++++ 1 file changed, 140 insertions(+) create mode 100644 GITHUB_ACTIONS_ACCEPTABLE_USE.md diff --git a/GITHUB_ACTIONS_ACCEPTABLE_USE.md b/GITHUB_ACTIONS_ACCEPTABLE_USE.md new file mode 100644 index 000000000000..012202934649 --- /dev/null +++ b/GITHUB_ACTIONS_ACCEPTABLE_USE.md @@ -0,0 +1,140 @@ +# GitHub Actions Workflows — TOS / Acceptable Use Violation Guide + +## Purpose + +This document outlines common patterns, anti-patterns, and activities within GitHub Actions workflows that **can break GitHub’s Terms of Service (TOS)** or **Acceptable Use Policies (AUP)**. Violations can lead to: + +- workflow termination by GitHub, +- restriction or suspension of GitHub Actions, +- repository disablement, +- account suspension or termination. + +This guidance supplements the official terms: GitHub Terms of Service, GitHub Terms for Additional Products, and GitHub Acceptable Use Policies. :contentReference[oaicite:1]{index=1} + +--- + +## 1. Disallowed Workflow Use Cases + +### ❌ Cryptomining or Other Unrelated Compute Tasks + +Workflows must not be used for general computing tasks unrelated to repository software production, testing, deployment, or publication. Examples include: + +- running cryptomining jobs in workflows. :contentReference[oaicite:2]{index=2} +- serving general compute jobs not tied to the repo’s development lifecycle. + +GitHub explicitly prohibits using Actions for high-burden compute services (e.g., as a general serverless platform). :contentReference[oaicite:3]{index=3} + +--- + +### ❌ Unauthorized Access or Security Violations + +Workflows must not perform activity that: + +- attempts to disrupt or gain unauthorized access to devices, services, accounts, or networks outside authorized bug bounty programs; or +- initiates attacks (e.g., scanning, exploitation, denial of service). :contentReference[oaicite:4]{index=4} + +Workflows that include malicious scripts, malware, or code designed to breach systems are prohibited. + +--- + +### ❌ Excessive or Abusive Automation + +GitHub’s Acceptable Use Policies ban content and activity that: + +- use the platform for excessive automated bulk activity; +- place undue burden on GitHub’s infrastructure through automation. :contentReference[oaicite:5]{index=5} + +Workflows that run on overly aggressive schedules, spawn thousands of concurrent jobs, or perform arbitrary network calls purely for automation strain GitHub resources. + +--- + +### ❌ Spam, Inauthentic, or Misleading Content + +Avoid workflows that: + +- mass-generate notifications, issues, comments, or pull requests for spam purposes; +- automate fake stars, forks, or bot activity to artificially inflate metrics; +- publish promotions or solicitations that violate the AUP. :contentReference[oaicite:6]{index=6} + +--- + +## 2. Content and Code Restrictions + +### ❌ Publishing Unlawful Content + +Workflows should not be used to upload or distribute illegal or harmful content via generated artifacts or repository commits, including: + +- malware or exploit binaries as outputs of CI jobs; or +- code explicitly meant to violate laws. :contentReference[oaicite:7]{index=7} + +GitHub may remove such content and take account action. + +--- + +### ❌ Intellectual Property Violations + +Workflows that publish artifacts, binaries, or code that infringe copyright, trademark rights, or proprietary licenses are violations under the Acceptable Use Policies. :contentReference[oaicite:8]{index=8} + +--- + +## 3. Workflow Security-Related Concerns (Operational Risks) + +*Note: The following are **security best practices** but can also correlate to **policy violations if misused**.* + +### ⚠️ Using Untrusted or Unsigned Actions + +Workflows that reference unverified third-party actions (e.g., from unknown authors or with typo-squatted names) create security risks, which can lead to unintended malicious code execution. Though not a direct TOS clause, this **enables violations** when workflows execute harmful logic. :contentReference[oaicite:9]{index=9} + +**Mitigation:** + +- use verified actions or restrict allowed actions at the org level, +- pin action versions to commit hashes or specific releases. + +--- + +### ⚠️ Exposing Secrets + +Workflows with insecure handling of secrets (e.g., printing them to logs, uploading them in public artifacts) can lead to compromise. While this is primarily a security issue, GitHub may take action if secrets are leaked at scale or used in harmful ways. + +--- + +### ⚠️ Self-Hosted Runner Misconfiguration + +Self-hosted runners exposed to untrusted code (e.g., in public fork PRs) can execute arbitrary code on internal infrastructure. Misconfigurations that lead to unauthorized access on private networks can trigger policy enforcement. :contentReference[oaicite:10]{index=10} + +--- + +## 4. API and Tokens Misuse + +- Abuse or excessive API usage (including workflow tokens and GitHub API clients) can lead to enforcement actions under API Terms and TOS. :contentReference[oaicite:11]{index=11} +- Sharing API tokens to exceed rate limits is prohibited. + +--- + +## 5. Consequences of Violations + +GitHub’s policy enforcement actions may include: + +- termination or disabling of offending workflows, +- throttling or restricting GitHub Actions use, +- disabling repositories created solely for TOS violations, +- account suspension or termination. :contentReference[oaicite:12]{index=12} + +--- + +## 6. Recommended Safe Practices + +✔ Only run Actions directly related to the software’s build, test, deployment, or publishing. +✔ Pin action versions to stable releases. +✔ Restrict workflows from running on untrusted pull requests without approval. +✔ Avoid metascheduling unrelated compute tasks. + +--- + +## 7. References + +- **GitHub Terms of Service & Acceptable Use Policies** — official source of usage restrictions. :contentReference[oaicite:13]{index=13} +- **Additional Terms for GitHub Actions** — limitations on compute and prohibited uses. :contentReference[oaicite:14]{index=14} + +--- + From 85c157d30bef6845796cbe6761427ca51d9294b5 Mon Sep 17 00:00:00 2001 From: Abel Date: Thu, 5 Feb 2026 23:16:04 -0800 Subject: [PATCH 02/11] Revise GITHUB_ACTIONS_ACCEPTABLE_USE.md for clarity Updated language for clarity and corrected grammatical errors in the acceptable use document. --- GITHUB_ACTIONS_ACCEPTABLE_USE.md | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/GITHUB_ACTIONS_ACCEPTABLE_USE.md b/GITHUB_ACTIONS_ACCEPTABLE_USE.md index 012202934649..d26a5f12cf08 100644 --- a/GITHUB_ACTIONS_ACCEPTABLE_USE.md +++ b/GITHUB_ACTIONS_ACCEPTABLE_USE.md @@ -17,7 +17,7 @@ This guidance supplements the official terms: GitHub Terms of Service, GitHub Te ### ❌ Cryptomining or Other Unrelated Compute Tasks -Workflows must not be used for general computing tasks unrelated to repository software production, testing, deployment, or publication. Examples include: +Workflows must not be used for general computing tasks unrelated to repository software production, testing, deployment, or publication. Examples included - running cryptomining jobs in workflows. :contentReference[oaicite:2]{index=2} - serving general compute jobs not tied to the repo’s development lifecycle. @@ -28,7 +28,7 @@ GitHub explicitly prohibits using Actions for high-burden compute services (e.g. ### ❌ Unauthorized Access or Security Violations -Workflows must not perform activity that: +Workflows must not perform activities that: - attempts to disrupt or gain unauthorized access to devices, services, accounts, or networks outside authorized bug bounty programs; or - initiates attacks (e.g., scanning, exploitation, denial of service). :contentReference[oaicite:4]{index=4} @@ -55,7 +55,7 @@ Avoid workflows that: - mass-generate notifications, issues, comments, or pull requests for spam purposes; - automate fake stars, forks, or bot activity to artificially inflate metrics; - publish promotions or solicitations that violate the AUP. :contentReference[oaicite:6]{index=6} - +- Using GitHub actions to scam/spam is against our Rules --- ## 2. Content and Code Restrictions @@ -67,7 +67,7 @@ Workflows should not be used to upload or distribute illegal or harmful content - malware or exploit binaries as outputs of CI jobs; or - code explicitly meant to violate laws. :contentReference[oaicite:7]{index=7} -GitHub may remove such content and take account action. +GitHub may remove such content and take action. --- @@ -135,6 +135,3 @@ GitHub’s policy enforcement actions may include: - **GitHub Terms of Service & Acceptable Use Policies** — official source of usage restrictions. :contentReference[oaicite:13]{index=13} - **Additional Terms for GitHub Actions** — limitations on compute and prohibited uses. :contentReference[oaicite:14]{index=14} - ---- - From 0a1f642446090a2cf68b51ce0fbca5d269972ab7 Mon Sep 17 00:00:00 2001 From: Abel Date: Fri, 6 Feb 2026 07:33:37 -0800 Subject: [PATCH 03/11] Add workflow to sync fork with upstream repository This workflow syncs the fork with the upstream repository every 5 minutes or on manual trigger. --- .github/workflows/sync-upstream.yml | 35 +++++++++++++++++++++++++++++ 1 file changed, 35 insertions(+) create mode 100644 .github/workflows/sync-upstream.yml diff --git a/.github/workflows/sync-upstream.yml b/.github/workflows/sync-upstream.yml new file mode 100644 index 000000000000..8ca3e698a96c --- /dev/null +++ b/.github/workflows/sync-upstream.yml @@ -0,0 +1,35 @@ +name: Sync Fork with Upstream + +on: + schedule: + - cron: "*/5 * * * *" # every 5 minutes + workflow_dispatch: + +permissions: + contents: write + +jobs: + sync: + runs-on: ubuntu-latest + + steps: + - name: Checkout fork + uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Add upstream remote + run: | + git remote add upstream https://github.com/github/docs.git || true + git remote -v + + - name: Fetch upstream + run: git fetch upstream + + - name: Merge upstream into fork + run: | + git checkout main + git merge upstream/main --no-edit || echo "Nothing to merge" + + - name: Push changes + run: git push origin main From f8b58a201092f0eb1fd14f3543917b9ef0a5b55b Mon Sep 17 00:00:00 2001 From: Abel Date: Fri, 6 Feb 2026 07:38:05 -0800 Subject: [PATCH 04/11] Rename moda-ci.yaml to Update-fork.yaml --- .github/workflows/{moda-ci.yaml => Update-fork.yaml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename .github/workflows/{moda-ci.yaml => Update-fork.yaml} (100%) diff --git a/.github/workflows/moda-ci.yaml b/.github/workflows/Update-fork.yaml similarity index 100% rename from .github/workflows/moda-ci.yaml rename to .github/workflows/Update-fork.yaml From 5514fea0aca98f0dd27e2b7a600a18efed00c233 Mon Sep 17 00:00:00 2001 From: Abel Date: Fri, 6 Feb 2026 07:43:37 -0800 Subject: [PATCH 05/11] Rename Update-fork.yaml to sync-upstream-pr.yml --- .github/workflows/Update-fork.yaml | 103 ------------------------- .github/workflows/sync-upstream-pr.yml | 51 ++++++++++++ 2 files changed, 51 insertions(+), 103 deletions(-) delete mode 100644 .github/workflows/Update-fork.yaml create mode 100644 .github/workflows/sync-upstream-pr.yml diff --git a/.github/workflows/Update-fork.yaml b/.github/workflows/Update-fork.yaml deleted file mode 100644 index 43240c6dcdb3..000000000000 --- a/.github/workflows/Update-fork.yaml +++ /dev/null @@ -1,103 +0,0 @@ -name: docs-internal Moda CI - -# More info on CI actions setup can be found here: -# https://github.com/github/ops/blob/master/docs/playbooks/build-systems/moving-moda-apps-from-bp-to-actions.md - -on: - workflow_dispatch: - push: - branches-ignore: - - 'gh-readonly-queue/**' - merge_group: - types: [checks_requested] - -jobs: - ########################## - # Generate Vault keys - ########################## - set-vault-keys: - runs-on: ubuntu-latest - outputs: - modified_vault_keys: ${{ steps.modify_vault_keys.outputs.modified }} - steps: - - name: Set vault-keys output - id: modify_vault_keys - run: | - if [ -z "${{ vars.VAULT_KEYS }}" ]; then - # We want to add the DOCS_BOT_PAT_BASE to the list of keys - # so that builds fetch the secret from the docs-internal vault - # where --environment is "ci" - echo "modified=DOCS_BOT_PAT_BASE" >> $GITHUB_OUTPUT - else - echo "modified=${{ vars.VAULT_KEYS }},DOCS_BOT_PAT_BASE" >> $GITHUB_OUTPUT - fi - - ############# - # Moda jobs - ############# - moda-config-bundle: - if: ${{ github.repository == 'github/docs-internal' }} - name: ${{ matrix.ci_job.job }} - needs: set-vault-keys - strategy: - fail-fast: false - matrix: - ci_job: [{ 'job': 'docs-internal-moda-config-bundle' }] - uses: github/internal-actions/.github/workflows/moda.yml@main - with: - ci-formatted-job-name: ${{ matrix.ci_job.job }} - vault-keys: ${{ needs.set-vault-keys.outputs.modified_vault_keys }} - secrets: - dx-bot-token: ${{ secrets.INTERNAL_ACTIONS_DX_BOT_ACCOUNT_TOKEN }} - datadog-api-key: ${{ secrets.DATADOG_API_KEY }} - - ############# - # Docker Image jobs - ############# - docker-image: - if: ${{ github.repository == 'github/docs-internal' }} - name: ${{ matrix.ci_job.job }} - needs: set-vault-keys - strategy: - fail-fast: false - matrix: - ci_job: [{ 'job': 'docs-internal-docker-image' }] - uses: github/internal-actions/.github/workflows/kube.yml@main - with: - ci-formatted-job-name: ${{ matrix.ci_job.job }} - vault-keys: ${{ needs.set-vault-keys.outputs.modified_vault_keys }} - # Passes 'DOCS_BOT_PAT_BASE' secret from Vault to docker as --secret id=DOCS_BOT_PAT_BASE,src= - attest: true - docker-build-env-secrets: 'DOCS_BOT_PAT_BASE' - secrets: - dx-bot-token: ${{ secrets.INTERNAL_ACTIONS_DX_BOT_ACCOUNT_TOKEN }} - datadog-api-key: ${{ secrets.DATADOG_API_KEY }} - - ############# - # Docker Security jobs - ############# - docker-security: - if: ${{ github.repository == 'github/docs-internal' }} - name: ${{ matrix.ci_job.job }} - needs: set-vault-keys - strategy: - fail-fast: false - matrix: - ci_job: [{ 'job': 'docs-internal-docker-security' }] - uses: github/internal-actions/.github/workflows/docker_security.yml@main - with: - ci-formatted-job-name: ${{ matrix.ci_job.job }} - vault-keys: ${{ needs.set-vault-keys.outputs.modified_vault_keys }} - # Passes 'DOCS_BOT_PAT_BASE' secret from Vault to docker as --secret id=DOCS_BOT_PAT_BASE,src= - docker-build-env-secrets: 'DOCS_BOT_PAT_BASE' - secrets: - dx-bot-token: ${{ secrets.INTERNAL_ACTIONS_DX_BOT_ACCOUNT_TOKEN }} - datadog-api-key: ${{ secrets.DATADOG_API_KEY }} - -permissions: - actions: read - checks: read - contents: read - statuses: read - id-token: write - attestations: write diff --git a/.github/workflows/sync-upstream-pr.yml b/.github/workflows/sync-upstream-pr.yml new file mode 100644 index 000000000000..4bbca3bb4759 --- /dev/null +++ b/.github/workflows/sync-upstream-pr.yml @@ -0,0 +1,51 @@ +name: Sync Upstream (PR-based) + +on: + schedule: + - cron: "*/5 * * * *" # every 5 minutes + workflow_dispatch: + +permissions: + contents: write + pull-requests: write + +jobs: + sync: + runs-on: ubuntu-latest + + steps: + - name: Checkout fork + uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Configure git + run: | + git config user.name "github-actions[bot]" + git config user.email "41898282+github-actions[bot]@users.noreply.github.com" + + - name: Add upstream + run: | + git remote add upstream https://github.com/github/docs.git || true + git fetch upstream + + - name: Create sync branch + run: | + git checkout -B upstream-sync upstream/main + + - name: Push sync branch + run: | + git push origin upstream-sync --force + + - name: Create or update PR + uses: peter-evans/create-pull-request@v6 + with: + branch: upstream-sync + title: "⬆️ Sync with upstream (github/docs)" + body: | + Automated PR to sync this fork with the latest upstream changes. + - Runs every 5 minutes + - Fork-safe + - No auto-merge + base: main + delete-branch: false From e9c293975f16c84d1ab7c9aa71a83c7c7dea2d00 Mon Sep 17 00:00:00 2001 From: Abel Date: Fri, 6 Feb 2026 07:51:33 -0800 Subject: [PATCH 06/11] Enhance sync-upstream PR workflow for fork safety Updated workflow to be fork-safe and improved PR message. --- .github/workflows/sync-upstream-pr.yml | 30 ++++++++++++++++++++------ 1 file changed, 23 insertions(+), 7 deletions(-) diff --git a/.github/workflows/sync-upstream-pr.yml b/.github/workflows/sync-upstream-pr.yml index 4bbca3bb4759..dc739cb736e4 100644 --- a/.github/workflows/sync-upstream-pr.yml +++ b/.github/workflows/sync-upstream-pr.yml @@ -1,4 +1,4 @@ -name: Sync Upstream (PR-based) +name: Sync Upstream (PR-based, fork-safe) on: schedule: @@ -29,10 +29,22 @@ jobs: git remote add upstream https://github.com/github/docs.git || true git fetch upstream - - name: Create sync branch + - name: Create sync branch from upstream run: | git checkout -B upstream-sync upstream/main + # 🚫 HARD BLOCK: never allow workflow files from upstream + - name: Remove upstream workflows (fork-safe) + run: | + rm -rf .github/workflows + mkdir -p .github/workflows + echo "# Fork-safe workflows only" > .github/workflows/.keep + + - name: Commit sanitized upstream changes + run: | + git add . + git commit -m "Sync upstream (workflows stripped)" || echo "No changes" + - name: Push sync branch run: | git push origin upstream-sync --force @@ -41,11 +53,15 @@ jobs: uses: peter-evans/create-pull-request@v6 with: branch: upstream-sync + base: main title: "⬆️ Sync with upstream (github/docs)" body: | - Automated PR to sync this fork with the latest upstream changes. - - Runs every 5 minutes - - Fork-safe - - No auto-merge - base: main + Automated upstream sync PR. + + ✅ Fork-safe + 🚫 Upstream workflows stripped + 🔁 Runs every 5 minutes + labels: | + upstream-sync + automated delete-branch: false From 5cdd17e8ba91bc554249669b84131c44382be224 Mon Sep 17 00:00:00 2001 From: Abel Date: Fri, 6 Feb 2026 07:58:53 -0800 Subject: [PATCH 07/11] Update sync upstream workflow to exclude workflows --- .github/workflows/sync-upstream-pr.yml | 18 ++++++++---------- 1 file changed, 8 insertions(+), 10 deletions(-) diff --git a/.github/workflows/sync-upstream-pr.yml b/.github/workflows/sync-upstream-pr.yml index dc739cb736e4..f57922caed05 100644 --- a/.github/workflows/sync-upstream-pr.yml +++ b/.github/workflows/sync-upstream-pr.yml @@ -2,7 +2,7 @@ name: Sync Upstream (PR-based, fork-safe) on: schedule: - - cron: "*/5 * * * *" # every 5 minutes + - cron: "*/5 * * * *" workflow_dispatch: permissions: @@ -33,17 +33,15 @@ jobs: run: | git checkout -B upstream-sync upstream/main - # 🚫 HARD BLOCK: never allow workflow files from upstream - - name: Remove upstream workflows (fork-safe) + # 🚫 CRITICAL FIX: remove workflows from the index ONLY + - name: Exclude upstream workflows from fork run: | - rm -rf .github/workflows - mkdir -p .github/workflows - echo "# Fork-safe workflows only" > .github/workflows/.keep + git rm -r --cached .github/workflows || true - name: Commit sanitized upstream changes run: | git add . - git commit -m "Sync upstream (workflows stripped)" || echo "No changes" + git commit -m "Sync upstream (exclude workflows)" || echo "No changes" - name: Push sync branch run: | @@ -58,9 +56,9 @@ jobs: body: | Automated upstream sync PR. - ✅ Fork-safe - 🚫 Upstream workflows stripped - 🔁 Runs every 5 minutes + - Fork-safe + - Upstream workflows excluded + - Runs every 5 minutes labels: | upstream-sync automated From 1a287ad6c018fe438db9ee79938833da430fd256 Mon Sep 17 00:00:00 2001 From: Abel Date: Fri, 6 Feb 2026 14:30:15 -0800 Subject: [PATCH 08/11] Refactor sync upstream workflow for simplicity Updated the sync upstream workflow to simplify the process by removing the exclusion of workflows and streamlining the commit message. --- .github/workflows/sync-upstream-pr.yml | 42 +++++--------------------- 1 file changed, 7 insertions(+), 35 deletions(-) diff --git a/.github/workflows/sync-upstream-pr.yml b/.github/workflows/sync-upstream-pr.yml index f57922caed05..f778fb70fe97 100644 --- a/.github/workflows/sync-upstream-pr.yml +++ b/.github/workflows/sync-upstream-pr.yml @@ -1,4 +1,4 @@ -name: Sync Upstream (PR-based, fork-safe) +name: Sync Upstream (PR-based) on: schedule: @@ -8,58 +8,30 @@ on: permissions: contents: write pull-requests: write + workflows: write jobs: sync: runs-on: ubuntu-latest steps: - - name: Checkout fork - uses: actions/checkout@v4 + - uses: actions/checkout@v4 with: fetch-depth: 0 - - name: Configure git - run: | + - run: | git config user.name "github-actions[bot]" git config user.email "41898282+github-actions[bot]@users.noreply.github.com" - - name: Add upstream - run: | + - run: | git remote add upstream https://github.com/github/docs.git || true git fetch upstream - - - name: Create sync branch from upstream - run: | git checkout -B upstream-sync upstream/main - - # 🚫 CRITICAL FIX: remove workflows from the index ONLY - - name: Exclude upstream workflows from fork - run: | - git rm -r --cached .github/workflows || true - - - name: Commit sanitized upstream changes - run: | - git add . - git commit -m "Sync upstream (exclude workflows)" || echo "No changes" - - - name: Push sync branch - run: | git push origin upstream-sync --force - - name: Create or update PR - uses: peter-evans/create-pull-request@v6 + - uses: peter-evans/create-pull-request@v6 with: branch: upstream-sync base: main title: "⬆️ Sync with upstream (github/docs)" - body: | - Automated upstream sync PR. - - - Fork-safe - - Upstream workflows excluded - - Runs every 5 minutes - labels: | - upstream-sync - automated - delete-branch: false + body: Automated upstream sync From 85ec8ef0650f9d9251e5e1d0537207832053d71e Mon Sep 17 00:00:00 2001 From: Abel Date: Fri, 6 Feb 2026 14:32:49 -0800 Subject: [PATCH 09/11] Remove workflows permission from sync-upstream-pr.yml Removed workflows permission from GitHub Actions. --- .github/workflows/sync-upstream-pr.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/sync-upstream-pr.yml b/.github/workflows/sync-upstream-pr.yml index f778fb70fe97..7869d3070694 100644 --- a/.github/workflows/sync-upstream-pr.yml +++ b/.github/workflows/sync-upstream-pr.yml @@ -8,7 +8,6 @@ on: permissions: contents: write pull-requests: write - workflows: write jobs: sync: From 03727bb0cc9c778a65c9e220dfe4317c4f8f6cc6 Mon Sep 17 00:00:00 2001 From: Abel Date: Fri, 6 Feb 2026 14:44:02 -0800 Subject: [PATCH 10/11] Update sync-upstream-pr.yml --- .github/workflows/sync-upstream-pr.yml | 44 +++++++++++++++++++------- 1 file changed, 32 insertions(+), 12 deletions(-) diff --git a/.github/workflows/sync-upstream-pr.yml b/.github/workflows/sync-upstream-pr.yml index 7869d3070694..ff66f5443b4d 100644 --- a/.github/workflows/sync-upstream-pr.yml +++ b/.github/workflows/sync-upstream-pr.yml @@ -1,9 +1,9 @@ -name: Sync Upstream (PR-based) +name: Sync Upstream (No Workflows) on: - schedule: - - cron: "*/5 * * * *" workflow_dispatch: + schedule: + - cron: "0 3 * * *" # daily at 3am UTC permissions: contents: write @@ -14,23 +14,43 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - name: Checkout fork + uses: actions/checkout@v4 with: fetch-depth: 0 - - run: | - git config user.name "github-actions[bot]" - git config user.email "41898282+github-actions[bot]@users.noreply.github.com" - - - run: | + - name: Add upstream + run: | git remote add upstream https://github.com/github/docs.git || true git fetch upstream + + - name: Reset to upstream main + run: | git checkout -B upstream-sync upstream/main + + - name: Remove upstream workflows (IMPORTANT) + run: | + rm -rf .github/workflows + mkdir -p .github/workflows + echo "# intentionally empty" > .github/workflows/.keep + + - name: Commit changes + run: | + git config user.name "github-actions[bot]" + git config user.email "41898282+github-actions[bot]@users.noreply.github.com" + git add -A + git commit -m "Sync upstream (exclude workflows)" || echo "No changes" + + - name: Push branch + run: | git push origin upstream-sync --force - - uses: peter-evans/create-pull-request@v6 + - name: Create Pull Request + uses: peter-evans/create-pull-request@v6 with: branch: upstream-sync + title: "Sync upstream (exclude workflows)" + body: | + Automated upstream sync. + `.github/workflows` intentionally excluded. base: main - title: "⬆️ Sync with upstream (github/docs)" - body: Automated upstream sync From 4b5301dcae21dbf0af0e334ceab10bd3b22923f1 Mon Sep 17 00:00:00 2001 From: Abel Date: Fri, 6 Feb 2026 22:11:44 -0800 Subject: [PATCH 11/11] Delete .github/workflows/sync-upstream-pr.yml --- .github/workflows/sync-upstream-pr.yml | 56 -------------------------- 1 file changed, 56 deletions(-) delete mode 100644 .github/workflows/sync-upstream-pr.yml diff --git a/.github/workflows/sync-upstream-pr.yml b/.github/workflows/sync-upstream-pr.yml deleted file mode 100644 index ff66f5443b4d..000000000000 --- a/.github/workflows/sync-upstream-pr.yml +++ /dev/null @@ -1,56 +0,0 @@ -name: Sync Upstream (No Workflows) - -on: - workflow_dispatch: - schedule: - - cron: "0 3 * * *" # daily at 3am UTC - -permissions: - contents: write - pull-requests: write - -jobs: - sync: - runs-on: ubuntu-latest - - steps: - - name: Checkout fork - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - - name: Add upstream - run: | - git remote add upstream https://github.com/github/docs.git || true - git fetch upstream - - - name: Reset to upstream main - run: | - git checkout -B upstream-sync upstream/main - - - name: Remove upstream workflows (IMPORTANT) - run: | - rm -rf .github/workflows - mkdir -p .github/workflows - echo "# intentionally empty" > .github/workflows/.keep - - - name: Commit changes - run: | - git config user.name "github-actions[bot]" - git config user.email "41898282+github-actions[bot]@users.noreply.github.com" - git add -A - git commit -m "Sync upstream (exclude workflows)" || echo "No changes" - - - name: Push branch - run: | - git push origin upstream-sync --force - - - name: Create Pull Request - uses: peter-evans/create-pull-request@v6 - with: - branch: upstream-sync - title: "Sync upstream (exclude workflows)" - body: | - Automated upstream sync. - `.github/workflows` intentionally excluded. - base: main