docs: explain usage to manage PR created from forked repositories

[tbouffard]

Explain how to use the new feature provided in #294.

Provide detailed explanation about a possible strategy, workflow examples and limitations of this solution.
This solution requires 3 workflows for build, deploy and teardown.

We have tested the solution intensively in various repositories

• build part, see https://github.com/bonitasoft/bonita-documentation-site/blob/ddb9f1e489f2a04566d0ebd3087ca65784b1c67d/.github/workflows/_reusable_surge-build-preview.yml
• deploy part, see https://github.com/bonitasoft/bonita-documentation-site/blob/ddb9f1e489f2a04566d0ebd3087ca65784b1c67d/.github/workflows/_reusable_surge-deploy-preview.yml
• teardown part, see https://github.com/process-analytics/github-actions-playground/blob/56add9dacc916c898c609fbe480bd7ceb2ba353c/.github/workflows/surge-pr-fork-03-teardown.yml

[pr-code-reviewer]

👋 Hi there!

Everything looks good!

_{^{Automatically generated with the help of gpt-3.5-turbo.
Feedback? Please don't hesitate to drop me an email at webber@takken.io.}}

[coderabbitai]

"""

Walkthrough

本次更新升级了 GitHub Actions 的 checkout 步骤至 v4，新增了针对 fork 仓库 pull request 预览部署安全性的详细章节，介绍了基于三工作流的安全方案并附带完整的 YAML 示例及故障排查指导。

Changes

文件/路径	变更摘要
README.md	升级所有 checkout 步骤至 v4；新增关于 fork PR 预览部署安全的完整章节，包含三步工作流方案、详细 YAML 示例及故障排查说明。

Poem

兔子跳跃在文档间，
Actions 升级到新版前沿。
三步流程保安全，
预览部署不再难。
YAML 示例随手翻，
代码小兔乐开颜！
🐇✨
"""

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (4)

README.md (4)

124-124: 修正语法错误：缺失介词
在“安全挑战”描述中，将 “do not have access your to repository secrets” 修正为更通顺的英文：

- workflows triggered by `pull_request` events do not have access your to repository secrets
+ workflows triggered by `pull_request` events do not have access to your repository secrets

🧰 Tools

🪛 LanguageTool

[uncategorized] ~124-~124: Possible missing preposition found.
Context: ...pull_request` events do not have access your to repository secrets (like your surge ...

(AI_HYDRA_LEO_MISSING_TO)

---

130-131: 改进资源列表链接格式，避免裸露 URL
建议将裸 URL 转换为带描述的 Markdown 链接，提升可读性：

- - https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/
+ - [Preventing PWN Requests (GitHub Actions 安全指南)](https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/)
- - https://github.com/afc163/surge-preview/commit/4931cbc38d650f631f91974da3ccd4809c88aa1b and https://github.com/afc163/surge-preview/issues/99
+ - [相关提交示例](https://github.com/afc163/surge-preview/commit/4931cbc38d650f631f91974da3ccd4809c88aa1b) 及 [Issue #99](https://github.com/afc163/surge-preview/issues/99)

🧰 Tools

🪛 markdownlint-cli2 (0.17.2)

130-130: Bare URL used
null

(MD034, no-bare-urls)

---

131-131: Bare URL used
null

(MD034, no-bare-urls)

---

131-131: Bare URL used
null

(MD034, no-bare-urls)

---

134-134: 将强调文本改为标题
建议将当前的强调行改为二级或三级标题，以符合文档层级结构：

- **Solution: Use a three-workflow Approach**
+ ### Solution: Use a three-workflow Approach

🧰 Tools

🪛 markdownlint-cli2 (0.17.2)

134-134: Emphasis used instead of a heading
null

(MD036, no-emphasis-as-heading)

---

142-142: 移除标题末尾多余冒号
标题末尾的冒号破坏了 Markdown 风格一致性，建议去掉：

- #### How it works:
+ #### How it works

🧰 Tools

🪛 markdownlint-cli2 (0.17.2)

142-142: Trailing punctuation in heading
Punctuation: ':'

(MD026, no-trailing-punctuation)

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between a17bbee and 570c41f.

📒 Files selected for processing (1)

• README.md (6 hunks)

🧰 Additional context used

🪛 LanguageTool

README.md

[uncategorized] ~124-~124: Possible missing preposition found.
Context: ...pull_request` events do not have access your to repository secrets (like your surge ...

(AI_HYDRA_LEO_MISSING_TO)

---

[uncategorized] ~252-~252: Use a comma before “and” if it connects two independent clauses (unless they are closely connected and short).
Context: ...nally. In this case, the error is caught and a warning is logged. Re-running the wor...

(COMMA_COMPOUND_SENTENCE_2)

---

[style] ~262-~262: To elevate your writing, try using a synonym here.
Context: ... Limitations In some situations, it is hard to know if the surge deployment has bee...

(HARD_TO)

🪛 markdownlint-cli2 (0.17.2)

README.md

130-130: Bare URL used
null

(MD034, no-bare-urls)

---

131-131: Bare URL used
null

(MD034, no-bare-urls)

---

131-131: Bare URL used
null

(MD034, no-bare-urls)

---

134-134: Emphasis used instead of a heading
null

(MD036, no-emphasis-as-heading)

---

142-142: Trailing punctuation in heading
Punctuation: ':'

(MD026, no-trailing-punctuation)

🔇 Additional comments (6)

README.md (6)

36-36: 升级 checkout 动作到 v4
已将 actions/checkout 从 v2 升级到 v4，与官方推荐保持一致，可以获取最新性能和功能更新。

---

65-65: 升级 checkout 动作到 v4
在 “Multiple Jobs” 示例中同样将 actions/checkout 升级到 v4，保持示例的一致性和最佳实践。

---

76-76: 升级 checkout 动作到 v4
在第二个预览 job 示例中也做了相同的升级，确保所有示例版本统一。

---

100-101: 澄清 teardown 事件类型配置
新增注释准确说明在启用 teardown: 'true' 时，需要在 pull_request 触发器中添加 closed 事件，帮助用户快速理解配置意图。

---

110-110: 升级 checkout 动作到 v4
在 Teardown 示例中也升级到 v4，保持所有工作流使用一致的 checkout 版本。

---

161-161: 升级 checkout 动作到 v4
在 Build 工作流中同样将 actions/checkout 升级到 v4，符合上述所有示例的一致性。

[tbouffard]

@afc163 feel free to review, I will adjust the PR if needed.

Thanks in advance

cc @benjaminParisel

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (6)

README.md (6)

122-122: 优化标题措辞
当前标题 “### Usage to deal with PRs created from forked repositories” 建议修改为更简洁精准的表述，例如英文可用 “### Managing Pull Requests from Forked Repositories” 或中文可考虑 “### 管理来自 Fork 仓库的 PR”。

---

124-128: 精炼安全挑战描述并修正定冠词
建议将 “workflows triggered by pull_request events do not have access to your to repository secrets” 中的 “your to repository secrets” 修正为 “the repository secrets”，并可进一步补充说明二者的差异，如：

• pull_request 无法访问 secrets
• pull_request_target 虽有 secrets 权限，但会执行 PR 分支代码，存在风险

---

130-131: 将裸 URL 转换为 Markdown 链接
文中出现的如下裸 URL：

• https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/
• 4931cbc
• #99
  建议改为 [链接文本](URL) 格式，提升可读性并符合文档规范。

🧰 Tools

🪛 markdownlint-cli2 (0.17.2)

130-130: Bare URL used
null

(MD034, no-bare-urls)

---

131-131: Bare URL used
null

(MD034, no-bare-urls)

---

131-131: Bare URL used
null

(MD034, no-bare-urls)

---

134-134: 使用标题替换粗体强调
建议将 **Solution: Use a three-workflow Approach** 改为 Markdown 三级或四级标题，如：

#### Solution: Use a three-workflow Approach

以避免 “emphasis used instead of heading” 的 linter 警告。

🧰 Tools

🪛 markdownlint-cli2 (0.17.2)

134-134: Emphasis used instead of a heading
null

(MD036, no-emphasis-as-heading)

---

148-151: 添加示例文件路径链接
在 “Here is an example of how to set up these workflows in your repository:” 之上或之下，建议补充对实际可复用工作流文件的引用链接，例如：

• _reusable_surge-build-preview.yml（build 示例）
• _reusable_surge-deploy-preview.yml（deploy 示例）
• surge-pr-fork-03-teardown.yml（teardown 示例）
  帮助读者快速跳转至对应源码。

---

266-266: 提升“hard to know”表述
建议将 “In some situations, it is hard to know if the surge deployment has been done.” 中的 “hard to know” 替换为更正式的 “difficult to determine” 或 “challenging to verify”，以增强专业文档语气。

🧰 Tools

🪛 LanguageTool

[style] ~266-~266: To elevate your writing, try using a synonym here.
Context: ... Limitations In some situations, it is hard to know if the surge deployment has bee...

(HARD_TO)

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 570c41f and 612a511.

📒 Files selected for processing (1)

• README.md (6 hunks)

🧰 Additional context used

🪛 LanguageTool

README.md

[uncategorized] ~144-~144: A determiner appears to be missing. Consider inserting it.
Context: ...n a PR is closed #### How it works 1. First workflow builds the site and saves it a...

(AI_EN_LECTOR_MISSING_DETERMINER)

---

[uncategorized] ~256-~256: Use a comma before “and” if it connects two independent clauses (unless they are closely connected and short).
Context: ...nally. In this case, the error is caught and a warning is logged. Re-running the wor...

(COMMA_COMPOUND_SENTENCE_2)

---

[style] ~266-~266: To elevate your writing, try using a synonym here.
Context: ... Limitations In some situations, it is hard to know if the surge deployment has bee...

(HARD_TO)

🪛 markdownlint-cli2 (0.17.2)

README.md

130-130: Bare URL used
null

(MD034, no-bare-urls)

---

131-131: Bare URL used
null

(MD034, no-bare-urls)

---

131-131: Bare URL used
null

(MD034, no-bare-urls)

---

134-134: Emphasis used instead of a heading
null

(MD036, no-emphasis-as-heading)

🔇 Additional comments (6)

README.md (6)

36-36: 一致性更新 checkout 操作至 v4
将 actions/checkout@v4 应用于示例工作流是正确的，请确保所有其它示例（包括后续的 build、deploy、teardown 工作流）也同步升级。

---

65-65: preview-job-1 中 checkout@v4 更新确认
此处已将 actions/checkout 从旧版升级至 @v4，与上文保持一致。

---

76-76: preview-job-2 中 checkout@v4 更新确认
同样地，actions/checkout 已升级到 @v4。非常好。

---

100-101: Teardown 示例中事件类型说明清晰
注释明确指出在启用 teardown: 'true' 时需要包含 closed 事件，帮助使用者正确配置。

---

110-110: Teardown 示例工作流 checkout@v4 更新确认
在 teardown 阶段也统一使用了 actions/checkout@v4，保持了版本一致性。

---

165-165: Build workflow 中 checkout@v4 更新确认
构建阶段同样升级至 actions/checkout@v4，与其它示例保持一致。

[tbouffard]

@afc163 could review this PR please?

We agree that I will work on #323 which will ease use cases described in this PR.
The associated documentation will be updated to use the new deploymentId entry, but I need this PR to be merged first. 😸