62d2f8504c
* Fix a security hole in #1787 found by Arun Murugesan: "The workflow .github/workflows/eslint-check.yml contained a critical "pwn request" vulnerability that allows any GitHub user to execute arbitrary code with access to repository secrets by opening a pull request." See https://github.com/preactjs/compressed-size-action/issues/54 for why that action shouldn't be used with pull_request_target This change in this PR drops compressed-size-action in favour of executing the steps ourselves in two workflows, one which produces the size artifact, and the other which reads the artifact has the permissions to write the message back to the original PR (which is in a third party repo) * The annotate action also needed pull-requests: write permission (fixes failing run 'ESLint Annotation') * ci(bundle-size): extract bundle size scripts and simplify workflow - Add `.github/scripts/measure-bundle-sizes.js` and `render-bundle-size-comment.js` to replace inline node scripts embedded in workflow YAML, improving readability and reusability - Refactor `eslint-check.yml` to use the new script files and fix checkout steps to handle both PR and non-PR triggers correctly - Refactor `pr-checks-privileged.yml` to replace the large `github-script` block with `render-bundle-size-comment.js` and the `marocchino/sticky-pull-request-comment` action; remove the now-unnecessary `pr_number.txt` artifact by reading the PR number directly from the workflow_run event - Pin `ataylorme/eslint-annotate-action` to a specific commit SHA - Add `actions: read` permission where needed for artifact downloads * ci: add fork PR support and harden workflow - Look up PR number via API when workflow_run.pull_requests is empty (GitHub leaves it empty for fork PRs), falling back gracefully - Use head SHA instead of branch name for PR checkout to avoid TOCTOU - Fix formatSignedSize to produce +0 instead of -0 for zero values - Gate comment steps on successful PR number lookup Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Eoghan Murray <eoghan@getthere.ie> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
103 lines
3.2 KiB
YAML
103 lines
3.2 KiB
YAML
name: ESLint Check
|
|
|
|
on:
|
|
push:
|
|
pull_request:
|
|
|
|
jobs:
|
|
eslint_check_upload:
|
|
runs-on: ubuntu-latest
|
|
permissions:
|
|
contents: read
|
|
name: ESLint Check and Report Upload
|
|
|
|
steps:
|
|
- name: Checkout pull request head
|
|
if: github.event_name == 'pull_request'
|
|
uses: actions/checkout@v4
|
|
with:
|
|
repository: ${{ github.event.pull_request.head.repo.full_name }}
|
|
ref: ${{ github.event.pull_request.head.sha }}
|
|
- name: Checkout current branch
|
|
if: github.event_name != 'pull_request'
|
|
uses: actions/checkout@v4
|
|
- name: Setup Node
|
|
uses: actions/setup-node@v3
|
|
with:
|
|
node-version: lts/*
|
|
cache: 'yarn'
|
|
- name: Install Dependencies
|
|
run: yarn install --frozen-lockfile
|
|
env:
|
|
PUPPETEER_SKIP_DOWNLOAD: true
|
|
- name: Build Packages
|
|
run: NODE_OPTIONS='--max-old-space-size=4096' yarn build:all
|
|
- name: Eslint Check
|
|
run: yarn turbo run lint
|
|
- name: Save Code Linting Report JSON
|
|
run: yarn lint:report
|
|
# Continue to the next step even if this fails
|
|
continue-on-error: true
|
|
- name: Upload ESLint Report
|
|
uses: actions/upload-artifact@v4
|
|
with:
|
|
name: eslint_report.json
|
|
path: eslint_report.json
|
|
- name: Measure PR bundle sizes
|
|
if: github.event_name == 'pull_request'
|
|
run: node .github/scripts/measure-bundle-sizes.js pr-sizes.json
|
|
- name: Upload PR bundle sizes
|
|
if: github.event_name == 'pull_request'
|
|
uses: actions/upload-artifact@v4
|
|
with:
|
|
name: pr-sizes
|
|
path: pr-sizes.json
|
|
|
|
bundle_size_build:
|
|
# Only runs on PRs. Reuses the PR build from eslint_check_upload (via the
|
|
# pr-sizes artifact) and only builds the base branch itself. The privileged
|
|
# bundle-size-comment workflow then posts the PR comment without ever
|
|
# executing fork code.
|
|
if: github.event_name == 'pull_request'
|
|
needs: eslint_check_upload
|
|
runs-on: ubuntu-latest
|
|
permissions:
|
|
actions: read
|
|
contents: read
|
|
name: Build Base for Bundle Size Comparison
|
|
steps:
|
|
- name: Checkout workflow ref
|
|
uses: actions/checkout@v4
|
|
- name: Prepare bundle size helper
|
|
run: |
|
|
cp .github/scripts/measure-bundle-sizes.js /tmp/measure-bundle-sizes.js
|
|
# --- Base branch ---
|
|
- uses: actions/checkout@v4
|
|
with:
|
|
ref: ${{ github.base_ref }}
|
|
- name: Download PR bundle sizes
|
|
uses: actions/download-artifact@v4
|
|
with:
|
|
name: pr-sizes
|
|
- uses: actions/setup-node@v3
|
|
with:
|
|
node-version: lts/*
|
|
cache: 'yarn'
|
|
- name: Install base dependencies
|
|
run: yarn install --frozen-lockfile
|
|
env:
|
|
PUPPETEER_SKIP_DOWNLOAD: true
|
|
- name: Build base branch
|
|
run: NODE_OPTIONS='--max-old-space-size=4096' yarn build:all
|
|
env:
|
|
PUPPETEER_SKIP_DOWNLOAD: true
|
|
- name: Measure base bundle sizes
|
|
run: node /tmp/measure-bundle-sizes.js base-sizes.json
|
|
|
|
- uses: actions/upload-artifact@v4
|
|
with:
|
|
name: bundle-size-data
|
|
path: |
|
|
pr-sizes.json
|
|
base-sizes.json
|