-
Notifications
You must be signed in to change notification settings - Fork 6.5k
chore(ci): no more pull_request_target #8992
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: main
Are you sure you want to change the base?
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -85,3 +85,73 @@ jobs: | |
| # We want to ensure that static exports for all locales do not occur on `pull_request` events | ||
| # TODO: The output of this is too large, and it crashes the GitHub Runner | ||
| NEXT_PUBLIC_STATIC_EXPORT_LOCALE: false # ${{ github.event_name == 'push' }} | ||
|
|
||
| compare-bundle-size: | ||
| name: Compare Bundle Size | ||
| runs-on: ubuntu-latest | ||
| needs: build | ||
| if: github.event_name == 'pull_request' | ||
|
|
||
| steps: | ||
| - name: Harden Runner | ||
| uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 | ||
| with: | ||
| egress-policy: audit | ||
|
|
||
| - name: Git Checkout | ||
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | ||
| with: | ||
| persist-credentials: false | ||
|
|
||
| - name: Download Stats (HEAD) | ||
| uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 | ||
| with: | ||
| name: webpack-stats | ||
| path: head-stats | ||
|
|
||
| - name: Get Run ID from BASE | ||
| id: base-run | ||
| env: | ||
| BASE_SHA: ${{ github.event.pull_request.base.sha }} | ||
| GH_TOKEN: ${{ github.token }} | ||
| run: | | ||
| ID=$(gh run list -c "$BASE_SHA" -w build.yml -s success -L 1 --json databaseId --jq ".[].databaseId") | ||
| echo "run_id=$ID" >> "$GITHUB_OUTPUT" | ||
|
|
||
| - name: Download Stats (BASE) | ||
| id: base-stats | ||
| continue-on-error: true | ||
| uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 | ||
| with: | ||
| name: webpack-stats | ||
| path: base-stats | ||
| run-id: ${{ steps.base-run.outputs.run_id }} | ||
| github-token: ${{ secrets.GITHUB_TOKEN }} | ||
|
|
||
| - name: Compare Bundle Size | ||
| id: compare-bundle-size | ||
| if: steps.base-stats.outcome == 'success' | ||
| uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 | ||
| env: | ||
| HEAD_STATS_PATH: ./head-stats/webpack-stats.json | ||
| BASE_STATS_PATH: ./base-stats/webpack-stats.json | ||
| with: | ||
| script: | | ||
| const { compare } = await import('${{github.workspace}}/apps/site/scripts/compare-size/index.mjs') | ||
| await compare({core}) | ||
|
|
||
| - name: Prepare Comment | ||
| if: steps.base-stats.outcome == 'success' | ||
| env: | ||
| COMMENT: ${{ steps.compare-bundle-size.outputs.comment }} | ||
| run: | | ||
| mkdir -p pr-comment | ||
| printf '%s' "$COMMENT" > pr-comment/comment.md | ||
| printf '%s' 'compare_bundle_size' > pr-comment/tag.txt | ||
|
|
||
| - name: Upload Comment | ||
| if: steps.base-stats.outcome == 'success' | ||
| uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 | ||
| with: | ||
| name: pr-comment | ||
| path: pr-comment/ | ||
|
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Empty comment after compare failureMedium Severity
Reviewed by Cursor Bugbot for commit 0fa0f8d. Configure here. |
||
This file was deleted.
|
Member
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. We should probably determine the PR ourselves from the workflow_run data, otherwise this would allow an attacker to post a comment on any PR.
Member
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. While Rely on it anyway,
Member
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. WDYT?
Member
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This is what we do for js.org: https://github.com/js-org/js.org/blob/30b6a762eff9c2bf8a2fde8c05f0f394c0f44ae0/.github/workflows/rename_comment.yml#L30-L39 I suppose including a PR number in the payload, and then doing that same head check, is also safe. |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,89 @@ | ||
| name: Leave Comment | ||
|
|
||
| on: | ||
| workflow_run: | ||
| # Any Workflow that uploads a `pr-comment` artifact should be listed here | ||
| workflows: ['Build', 'Lighthouse'] | ||
| types: [completed] | ||
Check failureCode scanning / zizmor use of fundamentally insecure workflow trigger: workflow_run is almost always used insecurely Error
use of fundamentally insecure workflow trigger: workflow_run is almost always used insecurely
|
||
|
Comment on lines
+3
to
+7
|
||
|
|
||
| permissions: | ||
| contents: read | ||
| actions: read | ||
|
|
||
| concurrency: | ||
| group: ${{ github.workflow }}-${{ github.event.workflow_run.id }} | ||
| cancel-in-progress: true | ||
|
|
||
| jobs: | ||
| leave-comment: | ||
| name: Leave Comment | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| pull-requests: write | ||
|
Comment on lines
+18
to
+22
|
||
|
|
||
| steps: | ||
| - name: Harden Runner | ||
| uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 | ||
| with: | ||
| egress-policy: audit | ||
|
|
||
| - name: Download Comment Artifact | ||
| # The Workflow may not have produced a comment (e.g. the comparison was skipped), so this is | ||
| # allowed to fail and every subsequent step is gated on it having succeeded. | ||
| id: download | ||
| continue-on-error: true | ||
| uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 | ||
| with: | ||
| name: pr-comment | ||
| path: pr-comment | ||
| run-id: ${{ github.event.workflow_run.id }} | ||
| github-token: ${{ secrets.GITHUB_TOKEN }} | ||
|
|
||
| - name: Resolve Pull Request Number | ||
| id: pr | ||
| if: steps.download.outcome == 'success' | ||
| uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 | ||
| with: | ||
| script: | | ||
| const run = context.payload.workflow_run; | ||
|
|
||
| // 1. For same-repo Pull Requests the run is already linked to its PR(s). | ||
| if (run.pull_requests && run.pull_requests.length) { | ||
| core.setOutput('number', run.pull_requests[0].number); | ||
| return; | ||
|
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. PR linked without head checkMedium Severity When Reviewed by Cursor Bugbot for commit a7c4907. Configure here. |
||
| } | ||
|
|
||
| // 2. For forks that list is empty, so find the open Pull Request whose HEAD SHA matches | ||
| // the commit that triggered the run. | ||
| const pulls = await github.paginate(github.rest.pulls.list, { | ||
| owner: context.repo.owner, | ||
| repo: context.repo.repo, | ||
| state: 'open', | ||
| per_page: 100, | ||
| }); | ||
|
|
||
| const match = pulls.find(pull => pull.head.sha === run.head_sha); | ||
|
|
||
| if (!match) { | ||
| core.info(`No open pull request found for HEAD ${run.head_sha}`); | ||
| return; | ||
| } | ||
|
|
||
| core.setOutput('number', match.number); | ||
|
|
||
| - name: Read Comment Tag | ||
| id: meta | ||
| if: steps.download.outcome == 'success' | ||
| run: | | ||
| tag="$(tr -cd 'A-Za-z0-9_-' < pr-comment/tag.txt)" | ||
| echo "tag=$tag" >> "$GITHUB_OUTPUT" | ||
|
|
||
| - name: Add Comment to PR | ||
| # The comment body is untrusted markdown, so it is passed as a file (data) rather than | ||
| # interpolated into an expression or shell command. | ||
| if: steps.download.outcome == 'success' && steps.pr.outputs.number != '' | ||
| uses: thollander/actions-comment-pull-request@e2c37e53a7d2227b61585343765f73a9ca57eda9 # v3.0.0 | ||
| with: | ||
| file-path: pr-comment/comment.md | ||
| comment-tag: ${{ steps.meta.outputs.tag }} | ||
| pr-number: ${{ steps.pr.outputs.number }} | ||


Uh oh!
There was an error while loading. Please reload this page.