-
Notifications
You must be signed in to change notification settings - Fork 6.5k
chore(ci): no more pull_request_target #8992
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: main
Are you sure you want to change the base?
Changes from all commits
a7c4907
c075acf
27b091a
2796374
efab82a
827ce1d
a2d20bb
6a95094
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
This file was deleted.
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -14,14 +14,12 @@ on: | |
| paths: | ||
| - packages/ui-components/** | ||
| - .github/workflows/chromatic.yml | ||
| pull_request_target: | ||
| pull_request: | ||
| branches: | ||
| - main | ||
| paths: | ||
| - packages/ui-components/** | ||
| - .github/workflows/chromatic.yml | ||
| types: | ||
| - labeled | ||
| workflow_dispatch: | ||
|
|
||
| defaults: | ||
|
|
@@ -42,9 +40,8 @@ jobs: | |
| # We only need to run Storybook Builds and Storybook Visual Regression Tests within Pull Requests that actually | ||
| # introduce changes to the Storybook. Hence, we skip running these on Crowdin PRs and Dependabot PRs | ||
| if: | | ||
| github.event_name != 'pull_request_target' || | ||
| github.event_name != 'pull_request' || | ||
| ( | ||
| github.event.label.name == 'github_actions:pull-request' && | ||
| github.actor != 'dependabot[bot]' && | ||
| github.event.pull_request.head.ref != 'chore/crowdin' | ||
|
Comment on lines
42
to
46
|
||
| ) | ||
|
|
@@ -66,10 +63,10 @@ jobs: | |
| - name: Start Visual Regression Tests (Chromatic) | ||
| # This assigns the Environment Deployment for Storybook | ||
| id: chromatic-deploy | ||
| uses: chromaui/action@c49581ed7e45543eef2b5d727cf97a688a83e7d8 # v17.6.0 | ||
| uses: chromaui/action@94713c544284a14195de3b50ef24301579f1877e # v18.0.1 | ||
| with: | ||
| workingDir: packages/ui-components | ||
| buildScriptName: storybook:build | ||
| projectToken: ${{ secrets.CHROMATIC_PROJECT_TOKEN }} | ||
| projectToken: ${{ vars.CHROMATIC_PROJECT_TOKEN }} | ||
|
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. can we make sure we talk about this in writing? (edit so it's near the review: https://www.chromatic.com/docs/github-actions/#project-token-secret)
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. yeah, per https://www.chromatic.com/docs/github-actions/#project-token-secret isnt this a secet?
Member
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. A few sections later in that same file, https://www.chromatic.com/docs/github-actions/#run-chromatic-on-external-forks-of-open-source-projects:
|
||
| exitOnceUploaded: true | ||
| onlyChanged: true | ||
|
avivkeller marked this conversation as resolved.
|
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,97 @@ | ||
| name: Leave Comment | ||
|
|
||
| on: | ||
| workflow_run: # zizmor: ignore[dangerous-triggers] | ||
| # While it's true (as reported by Zizmor) that many `workflow_run` | ||
| # workflows are unsafe, we are using it purely to paste a code comment | ||
| # on a pull request. If an attacker were to attempt to modify the _only_ | ||
| # file of data we collect from their unsafe code, the worst they could do | ||
| # is leave a comment on their own PR, which has no harmful impact | ||
| # whatsover. | ||
| # | ||
| # Any Workflow that uploads a `pr-comment` artifact should be listed here | ||
| workflows: ['Build', 'Lighthouse'] | ||
| types: [completed] | ||
|
github-advanced-security[bot] marked this conversation as resolved.
Fixed
|
||
|
|
||
| permissions: | ||
| contents: read | ||
| actions: read | ||
|
|
||
| concurrency: | ||
| group: ${{ github.workflow }}-${{ github.event.workflow_run.id }} | ||
| cancel-in-progress: true | ||
|
|
||
| jobs: | ||
| leave-comment: | ||
| name: Leave Comment | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| pull-requests: write | ||
|
avivkeller marked this conversation as resolved.
|
||
|
|
||
| steps: | ||
| - name: Harden Runner | ||
| uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 | ||
| with: | ||
| egress-policy: audit | ||
|
|
||
| - name: Download Comment Artifact | ||
| # The Workflow may not have produced a comment (e.g. the comparison was skipped), so this is | ||
| # allowed to fail and every subsequent step is gated on it having succeeded. | ||
| id: download | ||
| continue-on-error: true | ||
| uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 | ||
| with: | ||
| name: pr-comment | ||
| path: pr-comment | ||
| run-id: ${{ github.event.workflow_run.id }} | ||
| github-token: ${{ secrets.GITHUB_TOKEN }} | ||
|
|
||
| - name: Resolve Pull Request Number | ||
| id: pr | ||
| if: steps.download.outcome == 'success' | ||
| uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 | ||
| with: | ||
| script: | | ||
| const run = context.payload.workflow_run; | ||
|
|
||
| // 1. For same-repo Pull Requests the run is already linked to its PR(s). | ||
| if (run.pull_requests && run.pull_requests.length) { | ||
| core.setOutput('number', run.pull_requests[0].number); | ||
| return; | ||
|
avivkeller marked this conversation as resolved.
|
||
| } | ||
|
|
||
| // 2. For forks that list is empty, so find the open Pull Request who has the | ||
| // correct branch information | ||
| const match = await github.rest.pulls.list({ | ||
| owner: context.repo.owner, | ||
| repo: context.repo.repo, | ||
| state: 'open', | ||
| head: `${context.payload.workflow_run.head_repository.owner.login}:${context.payload.workflow_run.head_branch}`, | ||
| sort: 'updated', | ||
| direction: 'desc', | ||
| per_page: 1, | ||
| }).then(r => r.data[0]); | ||
|
|
||
| if (!match) { | ||
| core.info(`No open pull request found for HEAD ${run.head_sha}`); | ||
| return; | ||
| } | ||
|
|
||
| core.setOutput('number', match.number); | ||
|
|
||
| - name: Read Comment Tag | ||
| id: meta | ||
| if: steps.download.outcome == 'success' | ||
| run: | | ||
| tag="$(tr -cd 'A-Za-z0-9_-' < pr-comment/tag.txt)" | ||
| echo "tag=$tag" >> "$GITHUB_OUTPUT" | ||
|
|
||
| - name: Add Comment to PR | ||
| # The comment body is untrusted markdown, so it is passed as a file (data) rather than | ||
| # interpolated into an expression or shell command. | ||
| if: steps.download.outcome == 'success' && steps.pr.outputs.number != '' | ||
| uses: thollander/actions-comment-pull-request@e2c37e53a7d2227b61585343765f73a9ca57eda9 # v3.0.0 | ||
| with: | ||
| file-path: pr-comment/comment.md | ||
| comment-tag: ${{ steps.meta.outputs.tag }} | ||
| pr-number: ${{ steps.pr.outputs.number }} | ||
Uh oh!
There was an error while loading. Please reload this page.