chore(infra): harden api docs build workflow (#32243)

Harden permissions for api docs build workflow
2025-08-23 19:41:54 +00:00 · 2025-07-25 14:40:20 -04:00 · 2025-07-25 14:40:20 -04:00 · 549ecd3e78
commit 549ecd3e78
parent a0671676ae
1 changed files with 15 additions and 3 deletions
--- a/.github/workflows/api_doc_build.yml
+++ b/.github/workflows/api_doc_build.yml
@ -11,7 +11,8 @@ jobs:
  build:
    if: github.repository == 'langchain-ai/langchain' || github.event_name != 'schedule'
    runs-on: ubuntu-latest
-    permissions: write-all
+    permissions:
+      contents: read
    steps:
      - uses: actions/checkout@v4
        with:
@ -51,7 +52,20 @@ jobs:
          
          # Checkout each unique repository that is in langchain-ai org
          for repo in $REPOS; do
+            # Validate repository is in langchain-ai org
+            if [[ ! "$repo" =~ ^langchain-ai/[a-zA-Z0-9_.-]+$ ]]; then
+              echo "Error: Invalid repository format: $repo"
+              exit 1
+            fi
+            
            REPO_NAME=$(echo $repo | cut -d'/' -f2)
+            
+            # Additional validation for repo name
+            if [[ ! "$REPO_NAME" =~ ^[a-zA-Z0-9_.-]+$ ]]; then
+              echo "Error: Invalid repository name: $REPO_NAME"
+              exit 1
+            fi
+            
            echo "Checking out $repo to $REPO_NAME"
            git clone --depth 1 https://github.com/$repo.git $REPO_NAME
          done
@ -70,8 +84,6 @@ jobs:

      - name: Move libs
        run: python langchain/.github/scripts/prep_api_docs_build.py
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

      - name: Rm old html
        run: