Remove RTD PR preview build workflow file and a warning about GitHub Actions v7

Documentation
,
1

I've opened several PRs to remove the GitHub workflow file that builds pull request previews. We now use the RTD GitHub App, making the old web hook with a workflow file redundant to pull request preview builds. Additionally, the call to the old GitHub Action was deprecated on 2025-07-01, per actions/README.md at main · readthedocs/actions · GitHub.

And I only noticed that when reviewing a Dependabot PR to bump github/actions to v7, and saw the security warning in the What's new regarding pull_request_target. That call is in the GitHub Workflow configuration file for the RTD action used in many Plone projects. AFAICT, none of the Plone projects that use this workflow file are vulnerable, so I didn't report it as a security issue. Nonetheless, it's a good idea to remove this file.

I would also suggest that anyone using either pull_request_target or workflow_run in their workflows review them to ensure they're not vulnerable. See GitHub - actions/checkout: Action for checking out a repo · GitHub for details.

The following is a list of repositories with this workflow file in Plone and open pull requests to remove it as well as any configuration or documentation that references the removed file.

A couple of quick searches turned up a few more possible candidates.

1 Like