docs/.github/workflows/nightly-docs-scan.yml at main · lungayken-ux/docs · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
name: Nightly Documentation Scan

on:
  schedule:
    # Run every day at 3am UTC
    - cron: "0 3 * * *"
  workflow_dispatch:
    inputs:
      dry-run:
        description: "Report issues but do not create them"
        type: boolean
        default: false

permissions:
  contents: read
  issues: write

concurrency:
  group: nightly-docs-scan
  cancel-in-progress: false

jobs:
  scan:
    runs-on: ubuntu-latest
    timeout-minutes: 20
    permissions:
      id-token: write
      contents: read
      issues: write

    steps:
      - name: Checkout repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          fetch-depth: 1

      - name: Ensure cache directory exists
        run: mkdir -p "${{ github.workspace }}/.cache"

      - name: Restore scanner state
        uses: actions/cache/restore@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
        with:
          path: |
            ${{ github.workspace }}/.cache/scanner-memory.db
            ${{ github.workspace }}/.cache/scan-history.json
          key: docs-scanner-state-${{ github.repository }}-${{ github.run_id }}
          restore-keys: |
            docs-scanner-state-${{ github.repository }}-

      - name: Configure AWS credentials
        id: aws-credentials
        continue-on-error: true
        uses: aws-actions/configure-aws-credentials@d979d5b3a71173a29b74b5b88418bfda9437d885 # v6.1.1
        with:
          role-to-assume: arn:aws:iam::710015040892:role/docker-agent-action-20260409141318957000000001
          aws-region: us-east-1

      - name: Fetch bot PAT
        if: steps.aws-credentials.outcome == 'success'
        run: |
          PAT=$(aws secretsmanager get-secret-value \
            --secret-id docker-agent-action/github-app \
            --query SecretString \
            --output text | jq -r '.pat')
          echo "::add-mask::$PAT"
          echo "GITHUB_APP_TOKEN=$PAT" >> "$GITHUB_ENV"

      - name: Run documentation scan
        uses: docker/cagent-action@f208610469d69f20983cad64c577949a132caa33 # v1.5.3
        env:
          GH_TOKEN: ${{ env.GITHUB_APP_TOKEN || github.token }}
        with:
          agent: ${{ github.workspace }}/.github/agents/docs-scanner.yaml
          prompt: "${{ inputs.dry-run == true && 'DRY RUN MODE: Do not create any GitHub issues. Report what you would create but skip the gh issue create commands.' || 'Run the nightly documentation scan as described in your instructions.' }}"
          anthropic-api-key: ${{ secrets.ANTHROPIC_API_KEY }}
          github-token: ${{ env.GITHUB_APP_TOKEN || github.token }}
          timeout: 1200

      - name: Save scanner state
        uses: actions/cache/save@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
        if: always()
        with:
          path: |
            ${{ github.workspace }}/.cache/scanner-memory.db
            ${{ github.workspace }}/.cache/scan-history.json
          key: docs-scanner-state-${{ github.repository }}-${{ github.run_id }}