Enhance github action security (#255)

* always use npm to manage package Signed-off-by: 守辰 <shouchen.zz@alibaba-inc.com> * enhance security for github actions Signed-off-by: 守辰 <shouchen.zz@alibaba-inc.com> --------- Signed-off-by: 守辰 <shouchen.zz@alibaba-inc.com>
2025-07-09 13:08:41 +08:00 · 2025-07-09 13:08:41 +08:00 · e1bf395efa
parent bce21bb82e
commit e1bf395efa
2 changed files with 8 additions and 2 deletions
--- a/.github/workflows/documentation.yaml
+++ b/.github/workflows/documentation.yaml
@ -8,6 +8,9 @@ on:
    branches:
      - master

+# Declare default permissions as read only.
+permissions: read-all
+
 jobs:
  checks:
    if: github.event_name != 'push'
@ -30,6 +33,7 @@ jobs:
    runs-on: ubuntu-latest
    permissions:
      id-token: write
+      pages: write
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
@ -43,6 +47,8 @@ jobs:
          USE_SSH: true
          GIT_USER: git
          DEPLOYMENT_BRANCH: gh-pages
+          ALGOLIA_API_KEY: ${{ secrets.ALGOLIA_API_KEY }}
+          ALGOLIA_APP_ID: ${{ secrets.ALGOLIA_APP_ID }}
        run: |
          git config --global user.email "actions@github.com"
          git config --global user.name "gh-actions"
--- a/docusaurus.config.js
+++ b/docusaurus.config.js
@ -122,9 +122,9 @@ function getNextVersionName() {
          '⭐️ If you like OpenKruise, give it a star on <a target="_blank" rel="noopener noreferrer" href="https://github.com/openkruise/kruise">GitHub</a>! ⭐️',
      },
      algolia: {
-        apiKey: '72ec0a3c892141cf32490c676bb66628',
+        apiKey: process.env.Algolia_API_KEY || 'default key',
        indexName: 'openkruise',
-        appId: 'FKASWWQYOP',
+        appId: process.env.Algolia_APP_ID || 'default id',
        contextualSearch: false,
        searchParameters: {},
      },