[build] fix update-documentation workflow by titusfortner · Pull Request #16505 · SeleniumHQ/selenium
Conversation
User description
This should allow the stage-release workflow to automatically create the documentation PR which is really difficult to do locally so I hope this works.
PR Type
Bug fix
Description
-
Add missing GITHUB_TOKEN secret to stage-release workflow
-
Update update-documentation workflow to require GITHUB_TOKEN
-
Fix documentation PR creation in automated release process
Diagram Walkthrough
flowchart LR
A["stage-release.yml"] -->|"passes GITHUB_TOKEN"| B["update-documentation.yml"]
B -->|"requires GITHUB_TOKEN"| C["Documentation PR Creation"]
File Walkthrough
| Relevant files | |||||
|---|---|---|---|---|---|
| Configuration changes |
|
PR Compliance Guide 🔍
Below is a summary of compliance checks for this PR:
| Security Compliance | |
| 🟢 | No security concerns identifiedNo security vulnerabilities detected by AI analysis. Human verification advised for critical code. |
| Ticket Compliance | |
| ⚪ | 🎫 No ticket provided |
| Codebase Duplication Compliance | |
| ⚪ | Codebase context is not definedFollow the guide to enable codebase context checks. |
| Custom Compliance | |
| ⚪ | No custom compliance providedFollow the guide to enable custom compliance check. |
Compliance status legend
🟢 - Fully Compliant🟡 - Partial Compliant
🔴 - Not Compliant
⚪ - Requires Further Human Verification
🏷️ - Compliance label
PR Code Suggestions ✨
Explore these optional code suggestions:
| Category | Suggestion | Impact |
| Security |
Scope the GitHub token properlyTo improve security, avoid setting .github/workflows/update-documentation.yml [45-46] -env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} +# This 'env' block should be removed from the workflow level. +# The secret should be passed to the relevant job(s) instead. +# For example, in the job that needs the token: +# +# jobs: +# your-job-name: +# secrets: +# GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} +# steps: +# - name: Step that uses the token +# env: +# GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} +# run: | +# # script that needs GITHUB_TOKEN
Suggestion importance[1-10]: 7__ Why: The suggestion correctly points out a security best practice to limit the scope of secrets, which the PR's current implementation violates by setting the | Medium |
| Learned best practice |
Avoid reserved secret name shadowingAvoid redefining the reserved GITHUB_TOKEN input; rename the secret input to a .github/workflows/update-documentation.yml [40-46] secrets:
SELENIUM_CI_TOKEN:
required: true
- GITHUB_TOKEN:
+ DOCS_GH_TOKEN:
required: true
env:
- GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+ GITHUB_TOKEN: ${{ secrets.DOCS_GH_TOKEN }}
Suggestion importance[1-10]: 6__ Why: | Low |
| ||
This was referenced
Oct 25, 2025This was referenced
Dec 16, 2025This was referenced
Jan 19, 2026This was referenced
Feb 11, 2026This was referenced
Feb 20, 2026This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters
Labels
2 participants