Skip to content

Commit 0fa0f8d

Browse files
committed
chore(ci): no more pull_request_target
1 parent 104eb57 commit 0fa0f8d

5 files changed

Lines changed: 158 additions & 106 deletions

File tree

.github/workflows/build.yml

Lines changed: 72 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -85,3 +85,75 @@ jobs:
8585
# We want to ensure that static exports for all locales do not occur on `pull_request` events
8686
# TODO: The output of this is too large, and it crashes the GitHub Runner
8787
NEXT_PUBLIC_STATIC_EXPORT_LOCALE: false # ${{ github.event_name == 'push' }}
88+
89+
compare-bundle-size:
90+
name: Compare Bundle Size
91+
runs-on: ubuntu-latest
92+
needs: build
93+
if: github.event_name == 'pull_request'
94+
95+
steps:
96+
- name: Harden Runner
97+
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
98+
with:
99+
egress-policy: audit
100+
101+
- name: Git Checkout
102+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
103+
with:
104+
persist-credentials: false
105+
106+
- name: Download Stats (HEAD)
107+
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
108+
with:
109+
name: webpack-stats
110+
path: head-stats
111+
112+
- name: Get Run ID from BASE
113+
id: base-run
114+
env:
115+
BASE_SHA: ${{ github.event.pull_request.base.sha }}
116+
GH_TOKEN: ${{ github.token }}
117+
run: |
118+
ID=$(gh run list -c "$BASE_SHA" -w build.yml -s success -L 1 --json databaseId --jq ".[].databaseId")
119+
echo "run_id=$ID" >> "$GITHUB_OUTPUT"
120+
121+
- name: Download Stats (BASE)
122+
id: base-stats
123+
continue-on-error: true
124+
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
125+
with:
126+
name: webpack-stats
127+
path: base-stats
128+
run-id: ${{ steps.base-run.outputs.run_id }}
129+
github-token: ${{ secrets.GITHUB_TOKEN }}
130+
131+
- name: Compare Bundle Size
132+
id: compare-bundle-size
133+
if: steps.base-stats.outcome == 'success'
134+
uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
135+
env:
136+
HEAD_STATS_PATH: ./head-stats/webpack-stats.json
137+
BASE_STATS_PATH: ./base-stats/webpack-stats.json
138+
with:
139+
script: |
140+
const { compare } = await import('${{github.workspace}}/apps/site/scripts/compare-size/index.mjs')
141+
await compare({core})
142+
143+
- name: Prepare Comment
144+
if: steps.base-stats.outcome == 'success'
145+
env:
146+
COMMENT: ${{ steps.compare-bundle-size.outputs.comment }}
147+
PR_NUMBER: ${{ github.event.pull_request.number }}
148+
run: |
149+
mkdir -p pr-comment
150+
printf '%s' "$COMMENT" > pr-comment/comment.md
151+
printf '%s' "$PR_NUMBER" > pr-comment/pr.txt
152+
printf '%s' 'compare_bundle_size' > pr-comment/tag.txt
153+
154+
- name: Upload Comment
155+
if: steps.base-stats.outcome == 'success'
156+
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
157+
with:
158+
name: pr-comment
159+
path: pr-comment/

.github/workflows/bundle-compare.yml

Lines changed: 0 additions & 77 deletions
This file was deleted.

.github/workflows/chromatic.yml

Lines changed: 3 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -14,14 +14,12 @@ on:
1414
paths:
1515
- packages/ui-components/**
1616
- .github/workflows/chromatic.yml
17-
pull_request_target:
17+
pull_request:
1818
branches:
1919
- main
2020
paths:
2121
- packages/ui-components/**
2222
- .github/workflows/chromatic.yml
23-
types:
24-
- labeled
2523
workflow_dispatch:
2624

2725
defaults:
@@ -42,9 +40,8 @@ jobs:
4240
# We only need to run Storybook Builds and Storybook Visual Regression Tests within Pull Requests that actually
4341
# introduce changes to the Storybook. Hence, we skip running these on Crowdin PRs and Dependabot PRs
4442
if: |
45-
github.event_name != 'pull_request_target' ||
43+
github.event_name != 'pull_request' ||
4644
(
47-
github.event.label.name == 'github_actions:pull-request' &&
4845
github.actor != 'dependabot[bot]' &&
4946
github.event.pull_request.head.ref != 'chore/crowdin'
5047
)
@@ -70,6 +67,6 @@ jobs:
7067
with:
7168
workingDir: packages/ui-components
7269
buildScriptName: storybook:build
73-
projectToken: ${{ secrets.CHROMATIC_PROJECT_TOKEN }}
70+
projectToken: ${{ vars.CHROMATIC_PROJECT_TOKEN }}
7471
exitOnceUploaded: true
7572
onlyChanged: true
Lines changed: 61 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,61 @@
1+
name: Leave Comment
2+
3+
on:
4+
workflow_run:
5+
# Any Workflow that uploads a `pr-comment` artifact should be listed here
6+
workflows: ['Build', 'Lighthouse']
7+
types: [completed]
8+
9+
permissions:
10+
contents: read
11+
actions: read
12+
13+
concurrency:
14+
group: ${{ github.workflow }}-${{ github.event.workflow_run.id }}
15+
cancel-in-progress: true
16+
17+
jobs:
18+
leave-comment:
19+
name: Leave Comment
20+
runs-on: ubuntu-latest
21+
permissions:
22+
pull-requests: write
23+
24+
steps:
25+
- name: Harden Runner
26+
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
27+
with:
28+
egress-policy: audit
29+
30+
- name: Download Comment Artifact
31+
# The Workflow may not have produced a comment (e.g. the comparison was skipped), so this is
32+
# allowed to fail and every subsequent step is gated on it having succeeded.
33+
id: download
34+
continue-on-error: true
35+
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
36+
with:
37+
name: pr-comment
38+
path: pr-comment
39+
run-id: ${{ github.event.workflow_run.id }}
40+
github-token: ${{ secrets.GITHUB_TOKEN }}
41+
42+
- name: Read Comment Metadata
43+
id: meta
44+
if: steps.download.outcome == 'success'
45+
run: |
46+
pr="$(tr -cd '0-9' < pr-comment/pr.txt)"
47+
tag="$(tr -cd 'A-Za-z0-9_-' < pr-comment/tag.txt)"
48+
{
49+
echo "pr=$pr"
50+
echo "tag=$tag"
51+
} >> "$GITHUB_OUTPUT"
52+
53+
- name: Add Comment to PR
54+
# The comment body is untrusted markdown, so it is passed as a file (data) rather than
55+
# interpolated into an expression or shell command.
56+
if: steps.download.outcome == 'success'
57+
uses: thollander/actions-comment-pull-request@e2c37e53a7d2227b61585343765f73a9ca57eda9 # v3.0.0
58+
with:
59+
file-path: pr-comment/comment.md
60+
comment-tag: ${{ steps.meta.outputs.tag }}
61+
pr-number: ${{ steps.meta.outputs.pr }}

.github/workflows/lighthouse.yml

Lines changed: 22 additions & 23 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,7 @@
11
# Security Notes
2-
# This workflow uses `pull_request_target`, so will run against all PRs automatically (without approval), be careful with allowing any user-provided code to be run here
2+
# This Workflow runs in the untrusted `pull_request` context and therefore must not rely on any
3+
# repository secrets. It does not comment on the Pull Request itself; instead it uploads a
4+
# `pr-comment` artifact which the trusted `Leave Comment` Workflow posts once this Workflow completes.
35
# Only selected Actions are allowed within this repository. Please refer to (https://github.com/nodejs/nodejs.org/settings/actions)
46
# for the full list of available actions. If you want to add a new one, please reach out a maintainer with Admin permissions.
57
# REVIEWERS, please always double-check security practices before merging a PR that contains Workflow changes!!
@@ -9,7 +11,7 @@
911
name: Lighthouse
1012

1113
on:
12-
pull_request_target:
14+
pull_request:
1315
branches:
1416
- main
1517
types:
@@ -36,9 +38,6 @@ jobs:
3638
github.event.label.name == 'github_actions:pull-request'
3739
name: Lighthouse Report
3840
runs-on: ubuntu-latest
39-
permissions:
40-
# Required by `thollander/actions-comment-pull-request`
41-
pull-requests: write
4241

4342
steps:
4443
- name: Harden Runner
@@ -55,21 +54,11 @@ jobs:
5554
check_interval: 10 # check every 10 seconds
5655

5756
- name: Git Checkout
57+
# Only needed for the Lighthouse formatting script; no credentials are persisted.
5858
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
5959
with:
60-
# Provides the Pull Request commit SHA or the GitHub merge group ref
61-
ref: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.sha || github.ref }}
6260
persist-credentials: false
6361

64-
- name: Add Comment to PR
65-
# Signal that a lighthouse run is about to start
66-
uses: thollander/actions-comment-pull-request@e2c37e53a7d2227b61585343765f73a9ca57eda9 # v3.0.0
67-
with:
68-
message: |
69-
Running Lighthouse audit...
70-
# Used later to edit the existing comment
71-
comment-tag: 'lighthouse_audit'
72-
7362
- name: Audit Preview URL with Lighthouse
7463
# Conduct the lighthouse audit
7564
id: lighthouse_audit
@@ -105,11 +94,21 @@ jobs:
10594
const { formatLighthouseResults } = await import('${{github.workspace}}/apps/site/scripts/lighthouse/index.mjs')
10695
await formatLighthouseResults({core})
10796
108-
- name: Add Comment to PR
109-
# Replace the previous message with our formatted lighthouse results
110-
uses: thollander/actions-comment-pull-request@e2c37e53a7d2227b61585343765f73a9ca57eda9 # v3.0.0
97+
- name: Prepare Comment
98+
# Serialises the comment, its tag, and the target PR number into files for the trusted
99+
# `Leave Comment` Workflow. The comment body is passed via env (never interpolated into the
100+
# shell) so it cannot inject commands.
101+
env:
102+
COMMENT: ${{ steps.format_lighthouse_score.outputs.comment }}
103+
PR_NUMBER: ${{ github.event.pull_request.number }}
104+
run: |
105+
mkdir -p pr-comment
106+
printf '%s' "$COMMENT" > pr-comment/comment.md
107+
printf '%s' "$PR_NUMBER" > pr-comment/pr.txt
108+
printf '%s' 'lighthouse_audit' > pr-comment/tag.txt
109+
110+
- name: Upload Comment
111+
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
111112
with:
112-
# Reference the previously created comment
113-
comment-tag: 'lighthouse_audit'
114-
message: |
115-
${{ steps.format_lighthouse_score.outputs.comment }}
113+
name: pr-comment
114+
path: pr-comment/

0 commit comments

Comments
 (0)