Documentation: complete contributing guide and publish to GitHub Pages using GitHub Actions

[Guts]

Render:

Capture.video.du.2025-03-26.18-34-45.mp4

❤️ Funded by Oslandia

[kannes]

Ooh fancy, thank you! That looks great :)

Action safety

I am a bit scared by the third-party action uses: dawidd6/action-download-artifact@v9

From what I learned, this is not safe as it is only referencing a version, not a commit hash. That way the author (or a malicious actor who got access to the author's repo) could publish a malicious v9. Crafting a SHA1 collision is possible too but harder and I doubt someone would go that length if they could own vX people more easily.

Could you specify a specific git commit instead?

(I was hoping that action was easy to review but it is three gazillion node packages. I guess we can assume that it is currently safe to use though... :} )

[Guts]

I get your point but it sounds to me an overkill security safety since it only manipulate documentation files with no content write and no access to secrets. Well it could publish on GH Pages.

Nevertheless, I've changed to the commit hash.

[jmkerloch]

We now just have to add the documentation for the plugin use 😄

[kannes]

I get your point but it sounds to me an overkill security safety since it only manipulate documentation files with no content write and no access to secrets. Well it could publish on GH Pages.

Nevertheless, I've changed to the commit hash.

Now you know how much I know about actions and permissions ;D
Better safe than sorry though!

Thank you

[kannes]

Would it make sense to update the homepage in metadata.txt to this? I'd like that :)

[Guts]

Now you know how much I know about actions and permissions ;D
Better safe than sorry though!

No worries, your project, your rules and indeed it's wiser than the reverse :).

Would it make sense to update the homepage in metadata.txt to this? I'd like that :)

Good idea! Done in latest commit!