Issues in publish-docs.cjs

[adrianschmidt]

⚠️ Outside diff range comments (3)

publish-docs.cjs (3)

356-358: Fix commit message when pruning old patch versions

It uses argv.remove (undefined here), producing “remove undefined”.

Apply this diff:

-        if (runCommit) {
-            commit(`chore(docs): remove ${argv.remove}`);
-        }
+        if (runCommit) {
+            commit(`chore(docs): remove old patch version ${item}`);
+        }

---

122-124: Avoid exposing GH_TOKEN in command line/logs

Cloning with token in URL risks leakage in logs/process args. At minimum, silence exec output; ideally use a safer auth mechanism.

Apply this minimal mitigation:

 function cloneDocsRepo() {
   if (!shell.which('git')) {
     shell.echo('Sorry, this script requires git');
     shell.exit(1);
   }
 
+  const prevSilent = shell.config.silent;
+  shell.config.silent = true;
   if (
     shell.exec(
       'git clone --single-branch --branch gh-pages https://$GH_TOKEN@github.com/Lundalogik/lime-elements.git docsDist'
     ).code !== 0
   ) {
     shell.echo('git clone failed!');
     teardown();
     shell.exit(1);
   }
+  shell.config.silent = prevSilent;
 }

Longer‑term: use GitHub Actions checkout with a separate workspace/folder, or gh auth/credential helpers to avoid embedding the token in the command.

---

452-453: Use shelljs rm for cross‑platform cleanup

shell.exec('rm -rf …') breaks on Windows; use shell.rm.

Apply this diff:

   shell.exec('git checkout src/index.html stencil.config.docs.ts');
   shell.echo('Removing docs repo clone in docsDist.');
-  shell.exec('rm -rf docsDist');
+  shell.rm('-rf', 'docsDist');

Originally posted by @coderabbitai[bot] in #3703 (review)