From 982b16d60e637a41b9c2e7c347869c1260b9ee90 Mon Sep 17 00:00:00 2001 From: lauren Date: Fri, 21 Mar 2025 16:32:38 -0400 Subject: [PATCH 1/3] [ci] Fix permissions and don't use pull_request_target (#7689) Defaults permissions to none for all workflows, and only request extra permissions when needed. Similar to https://github.com/facebook/react/pull/32708, prefer the less permissive `pull_request` trigger instead. --- .github/workflows/analyze.yml | 4 +++- .github/workflows/analyze_comment.yml | 4 +++- .github/workflows/discord_notify.yml | 7 ++++++- .github/workflows/label_core_team_prs.yml | 12 +++++++++++- .github/workflows/site_lint.yml | 4 +++- 5 files changed, 26 insertions(+), 5 deletions(-) diff --git a/.github/workflows/analyze.yml b/.github/workflows/analyze.yml index b1ef428d0..13c9c844a 100644 --- a/.github/workflows/analyze.yml +++ b/.github/workflows/analyze.yml @@ -7,6 +7,8 @@ on: - main # change this if your default branch is named differently workflow_dispatch: +permissions: {} + jobs: analyze: runs-on: ubuntu-latest @@ -23,7 +25,7 @@ jobs: - name: Restore cached node_modules uses: actions/cache@v4 with: - path: "**/node_modules" + path: '**/node_modules' key: node_modules-${{ runner.arch }}-${{ runner.os }}-${{ hashFiles('yarn.lock') }} - name: Install deps diff --git a/.github/workflows/analyze_comment.yml b/.github/workflows/analyze_comment.yml index 5a3047cfc..7e5a24d04 100644 --- a/.github/workflows/analyze_comment.yml +++ b/.github/workflows/analyze_comment.yml @@ -2,10 +2,12 @@ name: Analyze Bundle (Comment) on: workflow_run: - workflows: ["Analyze Bundle"] + workflows: ['Analyze Bundle'] types: - completed +permissions: {} + jobs: comment: runs-on: ubuntu-latest diff --git a/.github/workflows/discord_notify.yml b/.github/workflows/discord_notify.yml index a4b8c9137..a553b23a0 100644 --- a/.github/workflows/discord_notify.yml +++ b/.github/workflows/discord_notify.yml @@ -1,12 +1,17 @@ name: Discord Notify on: - pull_request_target: + pull_request: types: [opened, ready_for_review] +permissions: {} + jobs: check_maintainer: uses: facebook/react/.github/workflows/shared_check_maintainer.yml@main + permissions: + # Used by check_maintainer + contents: read with: actor: ${{ github.event.pull_request.user.login }} is_remote: true diff --git a/.github/workflows/label_core_team_prs.yml b/.github/workflows/label_core_team_prs.yml index 3d9fa2be1..6099b8fcb 100644 --- a/.github/workflows/label_core_team_prs.yml +++ b/.github/workflows/label_core_team_prs.yml @@ -1,7 +1,9 @@ name: Label Core Team PRs on: - pull_request_target: + pull_request: + +permissions: {} env: TZ: /usr/share/zoneinfo/America/Los_Angeles @@ -11,6 +13,9 @@ env: jobs: check_maintainer: uses: facebook/react/.github/workflows/shared_check_maintainer.yml@main + permissions: + # Used by check_maintainer + contents: read with: actor: ${{ github.event.pull_request.user.login }} is_remote: true @@ -19,6 +24,11 @@ jobs: if: ${{ needs.check_maintainer.outputs.is_core_team == 'true' }} runs-on: ubuntu-latest needs: check_maintainer + permissions: + # Used to add labels on issues + issues: write + # Used to add labels on PRs + pull-requests: write steps: - name: Label PR as React Core Team uses: actions/github-script@v7 diff --git a/.github/workflows/site_lint.yml b/.github/workflows/site_lint.yml index 36f7642c9..81a04601c 100644 --- a/.github/workflows/site_lint.yml +++ b/.github/workflows/site_lint.yml @@ -7,6 +7,8 @@ on: pull_request: types: [opened, synchronize, reopened] +permissions: {} + jobs: lint: runs-on: ubuntu-latest @@ -25,7 +27,7 @@ jobs: - name: Restore cached node_modules uses: actions/cache@v4 with: - path: "**/node_modules" + path: '**/node_modules' key: node_modules-${{ runner.arch }}-${{ runner.os }}-${{ hashFiles('yarn.lock') }} - name: Install deps From f6d762cbbf958ca45bb8d1d011b31e5289e43a3d Mon Sep 17 00:00:00 2001 From: lauren Date: Fri, 21 Mar 2025 16:32:50 -0400 Subject: [PATCH 2/3] [ci] Pin 3rd party actions to specific hash (#7690) * [ci] Fix permissions and don't use pull_request_target Defaults permissions to none for all workflows, and only request extra permissions when needed. Similar to https://github.com/facebook/react/pull/32708, prefer the less permissive `pull_request` trigger instead. * [ci] Pin 3rd party actions to specific hash --- .github/workflows/analyze.yml | 2 +- .github/workflows/analyze_comment.yml | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/analyze.yml b/.github/workflows/analyze.yml index 13c9c844a..83e7f2e8a 100644 --- a/.github/workflows/analyze.yml +++ b/.github/workflows/analyze.yml @@ -57,7 +57,7 @@ jobs: name: bundle_analysis.json - name: Download base branch bundle stats - uses: dawidd6/action-download-artifact@v2 + uses: dawidd6/action-download-artifact@268677152d06ba59fcec7a7f0b5d961b6ccd7e1e if: success() && github.event.number with: workflow: analyze.yml diff --git a/.github/workflows/analyze_comment.yml b/.github/workflows/analyze_comment.yml index 7e5a24d04..1e086b9b7 100644 --- a/.github/workflows/analyze_comment.yml +++ b/.github/workflows/analyze_comment.yml @@ -16,7 +16,7 @@ jobs: github.event.workflow_run.conclusion == 'success' }} steps: - name: Download base branch bundle stats - uses: dawidd6/action-download-artifact@v2 + uses: dawidd6/action-download-artifact@268677152d06ba59fcec7a7f0b5d961b6ccd7e1e with: workflow: analyze.yml run_id: ${{ github.event.workflow_run.id }} @@ -24,7 +24,7 @@ jobs: path: analysis_comment.txt - name: Download PR number - uses: dawidd6/action-download-artifact@v2 + uses: dawidd6/action-download-artifact@268677152d06ba59fcec7a7f0b5d961b6ccd7e1e with: workflow: analyze.yml run_id: ${{ github.event.workflow_run.id }} @@ -50,7 +50,7 @@ jobs: echo "pr-number=$pr_number" >> $GITHUB_OUTPUT - name: Comment - uses: marocchino/sticky-pull-request-comment@v2 + uses: marocchino/sticky-pull-request-comment@52423e01640425a022ef5fd42c6fb5f633a02728 with: header: next-bundle-analysis number: ${{ steps.get-comment-body.outputs.pr-number }} From c3a286873b4ce504289403f636dbc277973cdad1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=EB=A3=A8=EB=B0=80LuMir?= Date: Mon, 24 Mar 2025 11:55:51 +0900 Subject: [PATCH 3/3] chore: resolve conflicts --- .github/workflows/analyze.yml | 4 --- .github/workflows/discord_notify.yml | 33 ------------------ .github/workflows/label_core_team_prs.yml | 42 ----------------------- 3 files changed, 79 deletions(-) delete mode 100644 .github/workflows/discord_notify.yml delete mode 100644 .github/workflows/label_core_team_prs.yml diff --git a/.github/workflows/analyze.yml b/.github/workflows/analyze.yml index 1d2de03cf..83e7f2e8a 100644 --- a/.github/workflows/analyze.yml +++ b/.github/workflows/analyze.yml @@ -57,11 +57,7 @@ jobs: name: bundle_analysis.json - name: Download base branch bundle stats -<<<<<<< HEAD - uses: dawidd6/action-download-artifact@v4 -======= uses: dawidd6/action-download-artifact@268677152d06ba59fcec7a7f0b5d961b6ccd7e1e ->>>>>>> f6d762cbbf958ca45bb8d1d011b31e5289e43a3d if: success() && github.event.number with: workflow: analyze.yml diff --git a/.github/workflows/discord_notify.yml b/.github/workflows/discord_notify.yml deleted file mode 100644 index a553b23a0..000000000 --- a/.github/workflows/discord_notify.yml +++ /dev/null @@ -1,33 +0,0 @@ -name: Discord Notify - -on: - pull_request: - types: [opened, ready_for_review] - -permissions: {} - -jobs: - check_maintainer: - uses: facebook/react/.github/workflows/shared_check_maintainer.yml@main - permissions: - # Used by check_maintainer - contents: read - with: - actor: ${{ github.event.pull_request.user.login }} - is_remote: true - - notify: - if: ${{ needs.check_maintainer.outputs.is_core_team == 'true' }} - needs: check_maintainer - runs-on: ubuntu-latest - steps: - - name: Discord Webhook Action - uses: tsickert/discord-webhook@v6.0.0 - with: - webhook-url: ${{ secrets.DISCORD_WEBHOOK_URL }} - embed-author-name: ${{ github.event.pull_request.user.login }} - embed-author-url: ${{ github.event.pull_request.user.html_url }} - embed-author-icon-url: ${{ github.event.pull_request.user.avatar_url }} - embed-title: '#${{ github.event.number }} (+${{github.event.pull_request.additions}} -${{github.event.pull_request.deletions}}): ${{ github.event.pull_request.title }}' - embed-description: ${{ github.event.pull_request.body }} - embed-url: ${{ github.event.pull_request.html_url }} diff --git a/.github/workflows/label_core_team_prs.yml b/.github/workflows/label_core_team_prs.yml deleted file mode 100644 index 6099b8fcb..000000000 --- a/.github/workflows/label_core_team_prs.yml +++ /dev/null @@ -1,42 +0,0 @@ -name: Label Core Team PRs - -on: - pull_request: - -permissions: {} - -env: - TZ: /usr/share/zoneinfo/America/Los_Angeles - # https://github.com/actions/cache/blob/main/tips-and-workarounds.md#cache-segment-restore-timeout - SEGMENT_DOWNLOAD_TIMEOUT_MINS: 1 - -jobs: - check_maintainer: - uses: facebook/react/.github/workflows/shared_check_maintainer.yml@main - permissions: - # Used by check_maintainer - contents: read - with: - actor: ${{ github.event.pull_request.user.login }} - is_remote: true - - label: - if: ${{ needs.check_maintainer.outputs.is_core_team == 'true' }} - runs-on: ubuntu-latest - needs: check_maintainer - permissions: - # Used to add labels on issues - issues: write - # Used to add labels on PRs - pull-requests: write - steps: - - name: Label PR as React Core Team - uses: actions/github-script@v7 - with: - script: | - github.rest.issues.addLabels({ - owner: context.repo.owner, - repo: context.repo.repo, - issue_number: ${{ github.event.number }}, - labels: ['React Core Team'] - });