xuguopeng/rrweb
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix security vulnerability in workflows (#1804)

Browse Source 
* Fix a security hole in #1787 found by Arun Murugesan:

"The workflow .github/workflows/eslint-check.yml contained a critical "pwn request" vulnerability that allows any GitHub user to execute arbitrary code with access to repository secrets by opening a pull request."

See https://github.com/preactjs/compressed-size-action/issues/54 for why that action shouldn't be used with pull_request_target

This change in this PR drops compressed-size-action in favour of executing the steps ourselves in two workflows, one which produces the size artifact, and the other which reads the artifact has the permissions to write the message back to the original PR (which is in a third party repo)

* The annotate action also needed pull-requests: write permission (fixes failing run 'ESLint Annotation')

* ci(bundle-size): extract bundle size scripts and simplify workflow

- Add `.github/scripts/measure-bundle-sizes.js` and
  `render-bundle-size-comment.js` to replace inline node scripts
  embedded in workflow YAML, improving readability and reusability
- Refactor `eslint-check.yml` to use the new script files and fix
  checkout steps to handle both PR and non-PR triggers correctly
- Refactor `pr-checks-privileged.yml` to replace the large
  `github-script` block with `render-bundle-size-comment.js` and
  the `marocchino/sticky-pull-request-comment` action; remove the
  now-unnecessary `pr_number.txt` artifact by reading the PR number
  directly from the workflow_run event
- Pin `ataylorme/eslint-annotate-action` to a specific commit SHA
- Add `actions: read` permission where needed for artifact downloads

* ci: add fork PR support and harden workflow

- Look up PR number via API when workflow_run.pull_requests is empty
  (GitHub leaves it empty for fork PRs), falling back gracefully
- Use head SHA instead of branch name for PR checkout to avoid TOCTOU
- Fix formatSignedSize to produce +0 instead of -0 for zero values
- Gate comment steps on successful PR number lookup

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Eoghan Murray <eoghan@getthere.ie>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Justin Halsall
2026-03-17 22:23:34 +01:00
committed by GitHub
parent bcf93ca926
commit acba854f30
4 changed files with 344 additions and 36 deletions
Download Patch File Download Diff File Expand all files Collapse all files

88
.github/workflows/eslint-check.yml vendored
View File

@@ -2,7 +2,7 @@ name: ESLint Check
on:
push:
pull_request_target:
pull_request:
jobs:
eslint_check_upload:
@@ -12,10 +12,15 @@ jobs:
name: ESLint Check and Report Upload
steps:
- uses: actions/checkout@v4
- name: Checkout pull request head
if: github.event_name == 'pull_request'
uses: actions/checkout@v4
with:
repository: ${{ github.event.pull_request.head.repo.full_name }}
ref: ${{ github.head_ref }}
ref: ${{ github.event.pull_request.head.sha }}
- name: Checkout current branch
if: github.event_name != 'pull_request'
uses: actions/checkout@v4
- name: Setup Node
uses: actions/setup-node@v3
with:
@@ -38,49 +43,60 @@ jobs:
with:
name: eslint_report.json
path: eslint_report.json
- name: Measure PR bundle sizes
if: github.event_name == 'pull_request'
run: node .github/scripts/measure-bundle-sizes.js pr-sizes.json
- name: Upload PR bundle sizes
if: github.event_name == 'pull_request'
uses: actions/upload-artifact@v4
with:
name: pr-sizes
path: pr-sizes.json
annotation:
# Skip the annotation action in push events
if: github.event_name == 'pull_request_target'
permissions:
checks: write
bundle_size_build:
# Only runs on PRs. Reuses the PR build from eslint_check_upload (via the
# pr-sizes artifact) and only builds the base branch itself. The privileged
# bundle-size-comment workflow then posts the PR comment without ever
# executing fork code.
if: github.event_name == 'pull_request'
needs: eslint_check_upload
runs-on: ubuntu-latest
name: ESLint Annotation
steps:
- uses: actions/download-artifact@v4
with:
name: eslint_report.json
- name: Annotate Code Linting Results
uses: ataylorme/eslint-annotate-action@v2
with:
repo-token: '${{ secrets.GITHUB_TOKEN }}'
report-json: 'eslint_report.json'
bundle_size:
# Only runs on PRs (needs a base branch to compare against)
if: github.event_name == 'pull_request_target'
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
pull-requests: write
name: Check Bundle Sizes
name: Build Base for Bundle Size Comparison
steps:
- name: Checkout workflow ref
uses: actions/checkout@v4
- name: Prepare bundle size helper
run: |
cp .github/scripts/measure-bundle-sizes.js /tmp/measure-bundle-sizes.js
# --- Base branch ---
- uses: actions/checkout@v4
with:
repository: ${{ github.event.pull_request.head.repo.full_name }}
ref: ${{ github.head_ref }}
- name: Setup Node
uses: actions/setup-node@v3
ref: ${{ github.base_ref }}
- name: Download PR bundle sizes
uses: actions/download-artifact@v4
with:
name: pr-sizes
- uses: actions/setup-node@v3
with:
node-version: lts/*
cache: 'yarn'
- name: Check bundle sizes
uses: preactjs/compressed-size-action@v2
with:
install-script: 'yarn install --frozen-lockfile'
build-script: 'build:all'
compression: 'none'
pattern: '**/dist/*.{js,cjs,mjs,css}'
- name: Install base dependencies
run: yarn install --frozen-lockfile
env:
PUPPETEER_SKIP_DOWNLOAD: true
- name: Build base branch
run: NODE_OPTIONS='--max-old-space-size=4096' yarn build:all
env:
PUPPETEER_SKIP_DOWNLOAD: true
- name: Measure base bundle sizes
run: node /tmp/measure-bundle-sizes.js base-sizes.json
- uses: actions/upload-artifact@v4
with:
name: bundle-size-data
path: |
pr-sizes.json
base-sizes.json