mirror of
https://github.com/langgenius/dify-docs.git
synced 2026-03-27 13:28:32 +07:00
afbe2c1083
Critical security fix: Update workflow now properly waits for Analyze workflow completion and uses validated artifacts. BEFORE (Security Gap): - sync_docs_analyze.yml: read-only permissions, validates inputs - sync_docs_update.yml: write permissions, re-runs analysis BYPASSING validations - Both run in parallel independently - Security checks (file size, count, path validation) were bypassed AFTER (Secure Chain): - sync_docs_analyze.yml: validates inputs with security checks - File count limit (max 50) - File size limit (10MB) - Path validation (no ../ traversal) - File type validation (.md, .mdx, .json only) - Creates validated sync_plan.json artifact - sync_docs_update.yml: triggered ONLY after analyze succeeds - Downloads validated sync_plan.json artifact - Uses pre-validated inputs (no re-analysis) - Proceeds with write operations only if validation passed Changes: - Trigger: pull_request → workflow_run on analyze completion - Removed: check-event-type job (redundant) - Removed: pr_analyzer validation (already done in analyze) - Added: Artifact download from analyze workflow - Added: Load and validate sync_plan.json - Simplified: Single job that trusts validated inputs Result: Proper security boundary where validation (read-only) and execution (write) are separated.