Skip to content

fix(ci): add pull_request trigger to docs-site workflow so required c…#701

Open
Demiserular wants to merge 1 commit into
OWASP:mainfrom
Demiserular:fix/docs-site-pr-trigger
Open

fix(ci): add pull_request trigger to docs-site workflow so required c…#701
Demiserular wants to merge 1 commit into
OWASP:mainfrom
Demiserular:fix/docs-site-pr-trigger

Conversation

@Demiserular

@Demiserular Demiserular commented Jun 17, 2026

Copy link
Copy Markdown

Summary

Add pull_request trigger to docs-site.yml workflow so required status checks run on PRs touching website/** files.

Why this change

The docs-site.yml workflow only triggered on push to main, which meant the two required status checks ("Build Docusaurus site" and "report-build-status") never ran on PRs. This caused all PRs touching website/** files to be blocked by checks that could never pass, requiring --admin to bypass.

What changed

  • Added pull_request trigger with the same paths filter as the existing push trigger
  • Added report-build-status job (the missing required status check)
  • Guarded Upload Pages artifact step with if: github.event_name == 'push' (no artifact needed on PRs)
  • Guarded deploy job with if: github.event_name == 'push' && github.ref == 'refs/heads/main' (only deploy on real merges)

Validation

The workflow changes follow GitHub Actions best practices for PR validation vs production deployment. The build job runs on both PRs and pushes, while artifact upload and deployment are restricted to push events only.

User-facing impact

Does this change:

  • affect scanning behavior
  • affect output formatting
  • affect JSON output
  • affect docs only

Notes

This is a CI/CD fix only. No changes to the actual documentation content or CLI behavior.
Fixes #697

sonukapoor
sonukapoor requested changes Jun 17, 2026
View reviewed changes

@sonukapoor sonukapoor left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey @Demiserular, thanks for digging into this - the root cause is correct and the overall approach is solid. A few things to address before we merge.

The branch is behind main. Could you rebase against the latest main before we finalize? git fetch origin && git rebase origin/main then force-push.

report-build-status will always pass, even when the build fails.

The job runs echo "..." unconditionally and always exits 0. That means the required status check shows green on a PR even if the Docusaurus build blew up - which defeats the purpose of having a required check.

Fix:

- name: Report build status
  run: |
    echo "Build completed with status: ${{ needs.build.result }}"
    if [ "${{ needs.build.result }}" != "success" ]; then
      exit 1
    fi

The pull_request trigger has no branches filter.

The push trigger is scoped to main, but pull_request has no branches filter, so it runs on PRs targeting any branch. Worth adding branches: [main] to match:

pull_request:
  branches:
    - main
  paths:
    - "website/**"
    - ".github/workflows/docs-site.yml"

The guards look correct. The if: github.event_name == 'push' on artifact upload and if: github.event_name == 'push' && github.ref == 'refs/heads/main' on deploy are both right - nothing deploys on PRs.

Once those two things are addressed, this is ready.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sonukapoor sonukapoor sonukapoor requested changes

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

fix(ci): add pull_request trigger to docs-site workflow so required checks run on PRs

2 participants

@Demiserular @sonukapoor