Skip to content

chore(ci): no more pull_request_target#8992

Open
avivkeller wants to merge 1 commit into
mainfrom
no-target
Open

chore(ci): no more pull_request_target#8992
avivkeller wants to merge 1 commit into
mainfrom
no-target

Conversation

@avivkeller

Copy link
Copy Markdown
Member

No description provided.

Copilot AI review requested due to automatic review settings July 1, 2026 21:30
@avivkeller avivkeller requested a review from a team as a code owner July 1, 2026 21:30
@vercel

vercel Bot commented Jul 1, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
nodejs-org Ready Ready Preview Jul 1, 2026 9:52pm

Request Review

@cursor

cursor Bot commented Jul 1, 2026

Copy link
Copy Markdown

PR Summary

Medium Risk
Workflow permission and trigger changes affect fork PRs, Chromatic runs, and when Lighthouse/bundle comments appear; misconfiguration could skip comments or change secret exposure.

Overview
Moves PR feedback (bundle size and Lighthouse) off pull_request_target and standalone workflow_run comment workflows into a safer split: untrusted jobs run on pull_request, upload a pr-comment artifact, and a new Leave Comment workflow posts to the PR with pull-requests: write.

Build gains a compare-bundle-size job (replacing deleted bundle-compare.yml) that compares webpack stats on PRs, resolves the base run via pull_request.base.sha, and uploads the comparison markdown instead of commenting inline.

Lighthouse and Chromatic switch to pull_request; Lighthouse drops direct PR comments (including the “running audit…” stub) and the checkout ref override tied to pull_request_target. Chromatic no longer waits on the github_actions:pull-request label and reads CHROMATIC_PROJECT_TOKEN from vars instead of secrets.

Reviewed by Cursor Bugbot for commit a7c4907. Bugbot is set up for automated code reviews on this repo. Configure here.

Comment on lines +3 to +7
on:
workflow_run:
# Any Workflow that uploads a `pr-comment` artifact should be listed here
workflows: ['Build', 'Lighthouse']
types: [completed]
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
with:
name: pr-comment
path: pr-comment/

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Empty comment after compare failure

Medium Severity

Prepare Comment and Upload Comment only require base-stats to succeed, not the Compare Bundle Size step. If comparison fails after base artifacts download, those steps can still run with an empty comment output, upload a pr-comment artifact, and the Leave Comment workflow may replace the PR’s bundle-size comment with blank content.

Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit 0fa0f8d. Configure here.

@codecov

codecov Bot commented Jul 1, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 75.38%. Comparing base (104eb57) to head (a7c4907).
✅ All tests successful. No failed tests found.

Additional details and impacted files
@@            Coverage Diff             @@
##             main    #8992      +/-   ##
==========================================
- Coverage   75.41%   75.38%   -0.04%     
==========================================
  Files          98       98              
  Lines        8636     8636              
  Branches      318      319       +1     
==========================================
- Hits         6513     6510       -3     
- Misses       2119     2122       +3     
  Partials        4        4              

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should probably determine the PR ourselves from the workflow_run data, otherwise this would allow an attacker to post a comment on any PR.

@avivkeller avivkeller Jul 1, 2026

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

While workflow_run does send PR data, I found that it's not 100% reliable, as often (for some reason) is omitted. That being said, we can also,

Rely on it anyway,
Compare the SHA of the HEAD with open PRs

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

WDYT?

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is what we do for js.org: https://github.com/js-org/js.org/blob/30b6a762eff9c2bf8a2fde8c05f0f394c0f44ae0/.github/workflows/rename_comment.yml#L30-L39

I suppose including a PR number in the payload, and then doing that same head check, is also safe.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR removes usage of the privileged pull_request_target trigger in CI workflows and replaces direct PR-commenting with a safer two-workflow pattern: untrusted pull_request workflows serialize comment data into an artifact, and a trusted workflow_run workflow posts the comment after completion.

Changes:

  • Switch Lighthouse and Chromatic workflows from pull_request_target to pull_request and adjust permissions/commenting behavior accordingly.
  • Add a new Leave Comment workflow that downloads a pr-comment artifact on workflow_run completion and posts it to the PR.
  • Replace the standalone bundle-compare workflow_run workflow by integrating bundle comparison into the main Build workflow and emitting a pr-comment artifact.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 6 comments.

Show a summary per file
File Description
.github/workflows/lighthouse.yml Runs Lighthouse in pull_request context and uploads a pr-comment artifact instead of commenting directly.
.github/workflows/leave-comment.yml New trusted workflow_run workflow intended to post PR comments based on downloaded artifacts.
.github/workflows/chromatic.yml Moves Chromatic to pull_request and changes how the Chromatic token is sourced.
.github/workflows/bundle-compare.yml Removes the old standalone bundle compare workflow_run workflow.
.github/workflows/build.yml Adds an in-workflow bundle size comparison job and uploads pr-comment artifacts for trusted commenting.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment on lines +18 to +22
leave-comment:
name: Leave Comment
runs-on: ubuntu-latest
permissions:
pull-requests: write
Comment thread .github/workflows/leave-comment.yml Outdated
Comment on lines +45 to +51
run: |
pr="$(tr -cd '0-9' < pr-comment/pr.txt)"
tag="$(tr -cd 'A-Za-z0-9_-' < pr-comment/tag.txt)"
{
echo "pr=$pr"
echo "tag=$tag"
} >> "$GITHUB_OUTPUT"
Comment thread .github/workflows/chromatic.yml
Comment thread .github/workflows/chromatic.yml
Comment thread .github/workflows/build.yml
Comment thread .github/workflows/lighthouse.yml

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes using default effort and found 1 potential issue.

There are 2 total unresolved issues (including 1 from previous review).

Fix All in Cursor

❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.

Reviewed by Cursor Bugbot for commit a7c4907. Configure here.

// 1. For same-repo Pull Requests the run is already linked to its PR(s).
if (run.pull_requests && run.pull_requests.length) {
core.setOutput('number', run.pull_requests[0].number);
return;

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

PR linked without head check

Medium Severity

When Leave Comment resolves the pull request from workflow_run.pull_requests, it uses the first entry’s number and returns without checking that pull request’s head commit matches workflow_run.head_sha. The fork fallback path does perform that check, so inconsistent or stale PR links can post bundle or Lighthouse comments on the wrong pull request.

Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit a7c4907. Configure here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants