Dev-iL opened a new pull request, #1510: URL: https://github.com/apache/hamilton/pull/1510
### Motivation The `build-docs` job in `sphinx-docs.yml` fails with a 403 error when triggered by pull requests from forks (non-maintainers). The "Deploy documentation" step attempts to `git push` to `apache/hamilton.git` using the `GITHUB_TOKEN`, but fork PRs receive a read-only token that cannot push to the upstream repository. ``` remote: Permission to apache/hamilton.git denied to github-actions[bot]. fatal: unable to access 'https://github.com/apache/hamilton.git/': The requested URL returned error: 403 ``` The docs build and artifact upload succeed — only the deploy step fails. Deploying on PRs is unnecessary since the built docs are already captured as downloadable artifacts. ### Changes **1. Skip deploy on pull requests** (core fix) Added `if: github.event_name != 'pull_request'` to the "Deploy documentation" step. This ensures deploy only runs on `push` (to `main`/`update_references`) and `workflow_dispatch` events, where the token has write access. PR builds still produce and upload artifacts for review. **2. Scope concurrency group per-ref** Changed the concurrency group from a static `"doc-pages"` to `"doc-pages-${{ github.ref }}"`. Previously, any docs PR could cancel an in-progress production deploy from a push to `main`. Now each branch/PR gets its own concurrency group. **3. Mask token in logs** Moved the `github.token` from an inline `${{ }}` expression in the `git push` URL to an `env:` block (`GITHUB_TOKEN`). Shell environment variables referenced as `${GITHUB_TOKEN}` are automatically masked by GitHub Actions in log output, whereas `${{ }}` expressions are expanded before the shell runs and can appear in error messages if the command fails. ## How I tested this N/A will test on CI. ## Notes ## Checklist - [ ] PR has an informative and human-readable title (this will be pulled into the release notes) - [ ] Changes are limited to a single goal (no scope creep) - [ ] Code passed the pre-commit check & code is left cleaner/nicer than when first encountered. - [ ] Any _change_ in functionality is tested - [ ] New functions are documented (with a description, list of inputs, and expected output) - [ ] Placeholder code is flagged / future TODOs are captured in comments - [ ] Project documentation has been updated if adding/changing functionality. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
