In one of my repos, I decided that I wanted to store notebooks as markdown, without outputs, for diff/version control reasons. The notebooks would be executed when the docs are built.
Up to this point, I was hosting the docs on ReadTheDocs, but because the notebooks are training neural networks, it was crashing their workers. So I decided to build the notebooks in GHA and deploy my docs using Pages instead I was able to set up a workflow that does just that, until I got a PR from a fork.
In hindsight, it should have been obvious, but for security reasons a workflow triggered from a fork cannot push directly to the repository.
The solution I was thinking of is something like this:
- PR/fork builds the docs and puts them into an artifact. They could in theory inject whatever they want into that artifact, but they can’t push it anywhere.
- A separate workflow that exists in the main or docs branch is triggered by completion of the previous workflow (i.e. the PR/fork cannot edit this workflow, only trigger it). This second workflow downloads the artifact and pushes it to the docs branch.
I think this should be possible using a
worklow_run event, but it’s unclear to me how the second workflow can inspect the triggering workflow to find the artifacts.
Can I get some input on this general approach, or specifically how to get the artifacts from within the second workflow? Thanks!