k6-docs icon indicating copy to clipboard operation
k6-docs copied to clipboard
verified publisher icon grafana

Add workflow to prevent changes to Extensions list

Open heitortsergent opened this issue 5 months ago • 3 comments

What?

Add a workflow to prevent users from changing the explore.md file. The file should only be updated by maintainers, or the Extension Registry workflow in this repo.

Checklist

  • [x] I have used a meaningful title for the PR.
  • [x] I have described the changes I've made in the "What?" section above.
  • [x] I have performed a self-review of my changes.
  • [ ] I have run the npm start command locally and verified that the changes look good.
  • [ ] I have made my changes in the docs/sources/k6/next folder of the documentation.
  • [ ] I have reflected my changes in the docs/sources/k6/v{most_recent_release} folder of the documentation.
  • [ ] I have reflected my changes in the relevant folders of the two previous k6 versions of the documentation (if still applicable to previous versions).
  • [ ] I have made my changes in the docs/sources/k6/next folder of the documentation.

Related PR(s)/Issue(s)

https://github.com/grafana/k6-docs/pull/1961

heitortsergent avatar Jul 02 '25 16:07 heitortsergent

:cry: zizmor failed with exit code 14.

Expand for full output 
error[dangerous-triggers]: use of fundamentally insecure workflow trigger
  --> ./.github/workflows/prevent-manual-extension-registry-changes.yml:8:1
   |
 8 | / on:
 9 | |   pull_request_target:
10 | |     paths:
11 | |       - 'docs/k6/*/extensions/explore.md'
   | |_________________________________________^ pull_request_target is almost always used insecurely
   |
   = note: audit confidence → Medium

error[unpinned-uses]: unpinned action reference
  --> ./.github/workflows/prevent-manual-extension-registry-changes.yml:26:9
   |
26 |         uses: xalvarez/prevent-file-change-action@v2
   |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
   |
   = note: audit confidence → High

7 findings (5 suppressed): 0 unknown, 0 informational, 0 low, 0 medium, 2 high

github-actions[bot] avatar Jul 02 '25 16:07 github-actions[bot]

:cry: zizmor failed with exit code 14.

Expand for full output 
error[unpinned-uses]: unpinned action reference
  --> ./.github/workflows/prevent-manual-extension-registry-changes.yml:27:9
   |
27 |         uses: xalvarez/prevent-file-change-action@v2
   |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
   |
   = note: audit confidence → High

6 findings (5 suppressed): 0 unknown, 0 informational, 0 low, 0 medium, 1 high

github-actions[bot] avatar Jul 02 '25 16:07 github-actions[bot]

@codebien would you be able to help me with this? 🙏

I'm wondering if this looks right / if the workflow should be running on this PR already. 🤔

heitortsergent avatar Jul 02 '25 17:07 heitortsergent