From 308b52753e084fa4005dcd54b450f3dd87bbfc6d Mon Sep 17 00:00:00 2001 From: Rodrigo Pombo Date: Mon, 16 Mar 2026 16:12:51 +0100 Subject: [PATCH] Replace vulnerable pr workflow --- .github/scripts/pr-updated.mjs | 4 +- .../{pr-updated.yml => pr-build.yml} | 23 ++++----- .github/workflows/pr-comment.yml | 50 +++++++++++++++++++ 3 files changed, 62 insertions(+), 15 deletions(-) rename .github/workflows/{pr-updated.yml => pr-build.yml} (59%) create mode 100644 .github/workflows/pr-comment.yml diff --git a/.github/scripts/pr-updated.mjs b/.github/scripts/pr-updated.mjs index f0d47c65..039fd178 100644 --- a/.github/scripts/pr-updated.mjs +++ b/.github/scripts/pr-updated.mjs @@ -5,7 +5,9 @@ import { IDENTIFIER, PACKAGE_NAME } from "./params.mjs" import github from "@actions/github" const octokit = new Octokit({}) -const prNumber = github.context.payload.pull_request.number +const prNumber = + github.context.payload.pull_request?.number || + Number(process.env.PR_NUMBER) async function createOrUpdateComment(prevComment, prNumber, body) { if (prevComment) { diff --git a/.github/workflows/pr-updated.yml b/.github/workflows/pr-build.yml similarity index 59% rename from .github/workflows/pr-updated.yml rename to .github/workflows/pr-build.yml index 096b894b..117a7aa1 100644 --- a/.github/workflows/pr-updated.yml +++ b/.github/workflows/pr-build.yml @@ -1,7 +1,7 @@ -name: PR Updated +name: PR Build on: - pull_request_target: + pull_request: branches: - next @@ -10,19 +10,13 @@ concurrency: cancel-in-progress: true jobs: - comment-pr: - name: Comment PR + build: + name: Build PR runs-on: ubuntu-latest - permissions: - issues: write - pull-requests: write - steps: - name: Checkout code uses: actions/checkout@v4 - with: - ref: "${{ github.event.pull_request.head.sha }}" - name: Install pnpm uses: pnpm/action-setup@v4 @@ -41,7 +35,8 @@ jobs: - run: pnpm canary - - name: Add or update PR comment - run: node .github/scripts/pr-updated.mjs ${{ github.event.pull_request.number }} - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + - name: Upload build artifacts + uses: actions/upload-artifact@v4 + with: + name: pr-build + path: canary.json diff --git a/.github/workflows/pr-comment.yml b/.github/workflows/pr-comment.yml new file mode 100644 index 00000000..5a277caa --- /dev/null +++ b/.github/workflows/pr-comment.yml @@ -0,0 +1,50 @@ +name: PR Comment + +on: + workflow_run: + workflows: ["PR Build"] + types: + - completed + +jobs: + comment-pr: + name: Comment PR + runs-on: ubuntu-latest + if: github.event.workflow_run.event == 'pull_request' && github.event.workflow_run.conclusion == 'success' + + permissions: + contents: read + actions: read + issues: write + pull-requests: write + + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Download build artifacts + uses: actions/download-artifact@v4 + with: + name: pr-build + run-id: ${{ github.event.workflow_run.id }} + github-token: ${{ secrets.GITHUB_TOKEN }} + + - name: Install pnpm + uses: pnpm/action-setup@v4 + with: + run_install: false + + - name: Set up Node.js + uses: actions/setup-node@v4 + with: + node-version: 20 + cache: "pnpm" + + - name: Install script dependencies + run: pnpm install --ignore-scripts + + - name: Add or update PR comment + run: node .github/scripts/pr-updated.mjs + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + PR_NUMBER: ${{ github.event.workflow_run.pull_requests[0].number }}