Commit e1914300523 for woocommerce

commit e1914300523e213197db780d7a82e666995fe4e3
Author: Eason <eason.su.tw@gmail.com>
Date:   Fri Jul 17 17:26:09 2026 +0800

    Fix User-Facing Documentation Check failing after claude-code-action v1.0.171 bump (#66694)

    * ci: fix docs-needed detection after claude-code-action v1.0.171 bump

    The "User-Facing Documentation Check" workflow runs claude-code-action
    on every merged PR to flag user-facing changes, but it never checked
    out the repository. The action assumes a checkout: it configures git
    and, since v1.0.74, restores trusted config files from the PR base
    branch with `git fetch origin <base>`. The pinned v1.0.66 predated that
    restore step and only logged a non-fatal warning when git config failed,
    so the missing checkout stayed harmless. After the action was bumped to
    v1.0.171, whose restore step hard-fails without a git repo, the job
    began failing on every merged PR.

    Add an actions/checkout step before the action. Pin it to the PR's base
    branch so it checks out trunk's trusted files and clears checkout v7's
    "pwn request" guard for fork PRs, without opting into
    allow-unsafe-pr-checkout.

    * ci: disable credential persistence in docs-needed checkout

    The job only reads the PR via the GitHub API and never pushes, so
    actions/checkout's default persisted GITHUB_TOKEN in .git/config is
    unused. Set persist-credentials: false to keep it out of the working
    tree, matching ci.yml.

    Safe for the downstream claude-code-action restore: the repository is
    public, so its `git fetch origin <base>` succeeds without the credential.

    Address: https://github.com/woocommerce/woocommerce/pull/66694#discussion_r3593300066

diff --git a/.github/workflows/docs-needed-detection.yml b/.github/workflows/docs-needed-detection.yml
index 23f4c497c8f..b1f825e8ba2 100644
--- a/.github/workflows/docs-needed-detection.yml
+++ b/.github/workflows/docs-needed-detection.yml
@@ -19,6 +19,15 @@ jobs:
       pull-requests: write

     steps:
+      - name: 'Checkout'
+        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+        with:
+          # Fork PRs need the explicit ref. Without it, under pull_request_target checkout
+          # defaults its commit to github.sha, which for a merged fork PR is the merge commit
+          # that actions/checkout refuses to check out due to its "pwn request" guard.
+          ref: ${{ github.event.pull_request.base.ref }}
+          persist-credentials: false
+
       - name: 'Analyze Pull Request'
         id: analyze
         uses: anthropics/claude-code-action@e90deca47693f9457b72f2b53c17d7c445a87342 # v1.0.171
@@ -159,12 +168,16 @@ jobs:

       - name: 'Setup Linear'
         if: ${{ steps.analyze.outputs.structured_output && fromJSON(steps.analyze.outputs.structured_output).needs_docs }}
-        run: npm install @linear/sdk@71.0.0
+        # Install outside the workspace: the checkout put the monorepo root package.json there,
+        # whose workspace:* deps make a bare `npm install` abort (npm has no workspace: support).
+        run: npm install --prefix "${{ runner.temp }}/linear" @linear/sdk@71.0.0

       - name: 'Create Linear Issue'
         if: ${{ steps.analyze.outputs.structured_output && fromJSON(steps.analyze.outputs.structured_output).needs_docs }}
         uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         env:
+          # Resolve @linear/sdk from the isolated dir it was installed into in 'Setup Linear'.
+          NODE_PATH: ${{ runner.temp }}/linear/node_modules
           STRUCTURED_OUTPUT: ${{ steps.analyze.outputs.structured_output }}
           LINEAR_API_KEY: ${{ secrets.LINEAR_OAUTH_TOKEN }}
           LINEAR_TEAM_ID: ${{ secrets.LINEAR_DOCS_TEAM_ID }}