Pass shared build config via artifact to eliminate duplicate inputs#37
Draft
Pass shared build config via artifact to eliminate duplicate inputs#37
Conversation
Consumer repos currently must specify the same inputs (strict, continue-on-error, path-pattern, path-pattern-ignore, enable-vale-linting) in both their docs-build and docs-deploy caller workflows. This creates maintenance burden and drift risk when the values diverge. docs-build.yml now exports these shared inputs as a versioned JSON artifact (docs-build-config). docs-deploy.yml downloads it from the triggering workflow_run and uses those values, removing the 5 duplicate inputs from its workflow_call interface. Security: JSON is produced with jq --arg (no shell interpolation), parsed with jq only, schema/type-validated, boolean values allowlisted, and path patterns denied shell metacharacters. The artifact is tied to the specific workflow_run.id. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Instead of manually serializing each shared input field, use toJSON(inputs) to pass the entire inputs object as a single JSON blob. The deploy workflow uses fromJSON() to access individual fields. Adding new shared inputs now requires zero changes to the serialization/deserialization code. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The version field added speculative complexity without a concrete use case. The artifact now contains the raw toJSON(inputs) output, and the deploy side reads it directly with no unwrapping. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The deploy workflow now requires the config artifact from the build workflow. If it is missing, the download step fails hard rather than falling back to defaults silently. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
toJSON(inputs) is produced by GitHub from schema-constrained workflow_call inputs — the JSON is always valid and values are always scalars. No need to re-validate on the deploy side. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
It defaults to github.token already. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Consumer repos must currently specify the same 5 inputs (
strict,continue-on-error,path-pattern,path-pattern-ignore,enable-vale-linting) in both theirdocs-build.ymlanddocs-deploy.ymlcaller workflows. For example, docs-content and docs-eng-playground both duplicateenable-vale-linting: trueandpath-pattern: 'docs/**'across both files. This creates maintenance burden and drift risk when the values diverge between the two callers.How it works
docs-build.yml— newexport-configjob serializes the 5 shared input values into a versioned JSON artifact (docs-build-config) usingjq --argdocs-deploy.yml— downloads the artifact from the triggeringworkflow_run, validates it, and uses the values viapreflightjob outputs (cfg-strict,cfg-continue-on-error, etc.)docs-deploy.yml'sworkflow_callinterface — onlydisable-commentsandenable-cumulative-commentremainSecurity hardening
The artifact is parsed defensively since it originates from a different workflow run:
jq --arg, parsed exclusively withjqstrictandcontinue-on-errormust be exactly"true"or"false";|&$\(){}\`)run-id: ${{ github.event.workflow_run.id }}$GITHUB_OUTPUTusing heredoc delimiters to prevent multi-line corruptionBreaking change
Consumer repos that pass the 5 removed inputs to
docs-deploy.ymlwill get a workflow validation error and must remove them from their deploy caller workflow. After this change, a consumer'sdocs-deploy.ymlsimplifies from:to:
The shared config values are now automatically inherited from whatever was passed to
docs-build.yml.Test plan
docs-eng-playground) at this branch for both workflowsdocs-build-configartifact is uploaded by the build workflowdocs-deploydownloads and parses the artifact (check "Parse and validate config" step logs)🤖 Generated with Claude Code