Fix security vulnerability in workflows (#1804)
* Fix a security hole in #1787 found by Arun Murugesan: "The workflow .github/workflows/eslint-check.yml contained a critical "pwn request" vulnerability that allows any GitHub user to execute arbitrary code with access to repository secrets by opening a pull request." See https://github.com/preactjs/compressed-size-action/issues/54 for why that action shouldn't be used with pull_request_target This change in this PR drops compressed-size-action in favour of executing the steps ourselves in two workflows, one which produces the size artifact, and the other which reads the artifact has the permissions to write the message back to the original PR (which is in a third party repo) * The annotate action also needed pull-requests: write permission (fixes failing run 'ESLint Annotation') * ci(bundle-size): extract bundle size scripts and simplify workflow - Add `.github/scripts/measure-bundle-sizes.js` and `render-bundle-size-comment.js` to replace inline node scripts embedded in workflow YAML, improving readability and reusability - Refactor `eslint-check.yml` to use the new script files and fix checkout steps to handle both PR and non-PR triggers correctly - Refactor `pr-checks-privileged.yml` to replace the large `github-script` block with `render-bundle-size-comment.js` and the `marocchino/sticky-pull-request-comment` action; remove the now-unnecessary `pr_number.txt` artifact by reading the PR number directly from the workflow_run event - Pin `ataylorme/eslint-annotate-action` to a specific commit SHA - Add `actions: read` permission where needed for artifact downloads * ci: add fork PR support and harden workflow - Look up PR number via API when workflow_run.pull_requests is empty (GitHub leaves it empty for fork PRs), falling back gracefully - Use head SHA instead of branch name for PR checkout to avoid TOCTOU - Fix formatSignedSize to produce +0 instead of -0 for zero values - Gate comment steps on successful PR number lookup Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Eoghan Murray <eoghan@getthere.ie> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Justin Halsall
52
.github/scripts/measure-bundle-sizes.js
vendored
Normal file
52
.github/scripts/measure-bundle-sizes.js
vendored
Normal file
@@ -0,0 +1,52 @@
|
||||
const fs = require('fs');
|
||||
const path = require('path');
|
||||
|
||||
const outputPath = process.argv[2];
|
||||
|
||||
if (!outputPath) {
|
||||
console.error(
|
||||
'Usage: node .github/scripts/measure-bundle-sizes.js <output-path>',
|
||||
);
|
||||
process.exit(1);
|
||||
}
|
||||
|
||||
const rootDir = process.cwd();
|
||||
const sizes = {};
|
||||
|
||||
function normalizePath(filePath) {
|
||||
return path.relative(rootDir, filePath).replace(/\\/g, '/');
|
||||
}
|
||||
|
||||
function shouldTrack(filePath) {
|
||||
const normalizedPath = normalizePath(filePath);
|
||||
|
||||
if (normalizedPath.startsWith('packages/packer/dist/')) {
|
||||
return false;
|
||||
}
|
||||
|
||||
return /(^|\/)dist\/[^/]+\.(js|cjs|mjs|css)$/.test(normalizedPath);
|
||||
}
|
||||
|
||||
function walk(dirPath) {
|
||||
for (const entry of fs.readdirSync(dirPath, { withFileTypes: true })) {
|
||||
if (entry.name === 'node_modules') {
|
||||
continue;
|
||||
}
|
||||
|
||||
const entryPath = path.join(dirPath, entry.name);
|
||||
|
||||
if (entry.isDirectory()) {
|
||||
walk(entryPath);
|
||||
continue;
|
||||
}
|
||||
|
||||
if (!shouldTrack(entryPath)) {
|
||||
continue;
|
||||
}
|
||||
|
||||
sizes[normalizePath(entryPath)] = fs.statSync(entryPath).size;
|
||||
}
|
||||
}
|
||||
|
||||
walk(rootDir);
|
||||
fs.writeFileSync(outputPath, `${JSON.stringify(sizes, null, 2)}\n`);
|
||||
Reference in New Issue
Block a user