From e8373daa15ab49b1c7999541df9f8c43039bedab Mon Sep 17 00:00:00 2001 From: thinkall Date: Sat, 9 May 2026 12:29:33 +0000 Subject: [PATCH 1/3] ci(docs): always trigger on PRs, move file filtering into workflow - Drop the `paths` trigger filters so the docs workflow always runs on pull requests (and pushes) and reliably reports its check status. - Add a `changes` job using dorny/paths-filter@v3 to detect doc-related changes inside the workflow with recursive globs (`flaml/**`, `website/**`, `.github/workflows/deploy-website.yml`). - Gate `checks` and `gh-release` on the filter output so the heavy steps are skipped when no doc-related files changed, while `workflow_dispatch` (and `merge_group` for `checks`) can still force a run. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- .github/workflows/deploy-website.yml | 29 ++++++++++++++++++---------- 1 file changed, 19 insertions(+), 10 deletions(-) diff --git a/.github/workflows/deploy-website.yml b/.github/workflows/deploy-website.yml index 5275355f50..543cc3af7d 100644 --- a/.github/workflows/deploy-website.yml +++ b/.github/workflows/deploy-website.yml @@ -3,16 +3,8 @@ name: docs on: pull_request: branches: [main] - paths: - - 'flaml/*' - - 'website/*' - - '.github/workflows/deploy-website.yml' push: branches: [main] - paths: - - 'flaml/*' - - 'website/*' - - '.github/workflows/deploy-website.yml' workflow_dispatch: merge_group: types: [checks_requested] @@ -21,8 +13,24 @@ permissions: contents: write jobs: + changes: + runs-on: ubuntu-latest + outputs: + docs: ${{ steps.filter.outputs.docs }} + steps: + - uses: actions/checkout@v3 + - uses: dorny/paths-filter@v3 + id: filter + with: + filters: | + docs: + - 'flaml/**' + - 'website/**' + - '.github/workflows/deploy-website.yml' + checks: - if: github.event_name != 'push' + needs: changes + if: github.event_name != 'push' && (needs.changes.outputs.docs == 'true' || github.event_name == 'workflow_dispatch' || github.event_name == 'merge_group') runs-on: ubuntu-latest defaults: run: @@ -58,7 +66,8 @@ jobs: npm run build fi gh-release: - if: github.event_name != 'pull_request' + needs: changes + if: github.event_name != 'pull_request' && (needs.changes.outputs.docs == 'true' || github.event_name == 'workflow_dispatch') runs-on: ubuntu-latest defaults: run: From 68782368129203ebb3d1d1fb55f35625fd3aaca3 Mon Sep 17 00:00:00 2001 From: thinkall Date: Sat, 9 May 2026 12:38:08 +0000 Subject: [PATCH 2/3] ci(docs): grant pull-requests:read for dorny/paths-filter, scope contents:write to deploy Address review: dorny/paths-filter@v3 calls the GitHub PR Files API on pull_request events and needs `pull-requests: read`. Without it, the `changes` job can fail with 403 on PRs and block downstream jobs via `needs: changes`. - Drop workflow-level `contents: write`; default to least-privilege `contents: read` and add `pull-requests: read` so the filter can read PR file lists. - Move `contents: write` to the `gh-release` job only, where peaceiris/actions-gh-pages needs it to push to the gh-pages branch. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- .github/workflows/deploy-website.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/deploy-website.yml b/.github/workflows/deploy-website.yml index 543cc3af7d..c5277f00c6 100644 --- a/.github/workflows/deploy-website.yml +++ b/.github/workflows/deploy-website.yml @@ -10,7 +10,8 @@ on: types: [checks_requested] permissions: - contents: write + contents: read + pull-requests: read jobs: changes: @@ -69,6 +70,8 @@ jobs: needs: changes if: github.event_name != 'pull_request' && (needs.changes.outputs.docs == 'true' || github.event_name == 'workflow_dispatch') runs-on: ubuntu-latest + permissions: + contents: write defaults: run: working-directory: website From 5c7c23d00ab67cf05b160ce46440bab358b73e0f Mon Sep 17 00:00:00 2001 From: thinkall Date: Sat, 9 May 2026 12:57:22 +0000 Subject: [PATCH 3/3] ci(docs): keep workflow-level contents:write, only add pull-requests:read Per review feedback, restore `contents: write` at the workflow level (needed by gh-release for peaceiris/actions-gh-pages to push to gh-pages) and just additively grant `pull-requests: read` so dorny/paths-filter@v3 can read PR file lists via the GitHub API. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- .github/workflows/deploy-website.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/.github/workflows/deploy-website.yml b/.github/workflows/deploy-website.yml index c5277f00c6..109c5c6699 100644 --- a/.github/workflows/deploy-website.yml +++ b/.github/workflows/deploy-website.yml @@ -10,7 +10,7 @@ on: types: [checks_requested] permissions: - contents: read + contents: write pull-requests: read jobs: @@ -70,8 +70,6 @@ jobs: needs: changes if: github.event_name != 'pull_request' && (needs.changes.outputs.docs == 'true' || github.event_name == 'workflow_dispatch') runs-on: ubuntu-latest - permissions: - contents: write defaults: run: working-directory: website