From 982b16d60e637a41b9c2e7c347869c1260b9ee90 Mon Sep 17 00:00:00 2001 From: lauren Date: Fri, 21 Mar 2025 16:32:38 -0400 Subject: [PATCH 1/3] [ci] Fix permissions and don't use pull_request_target (#7689) Defaults permissions to none for all workflows, and only request extra permissions when needed. Similar to https://github.com/facebook/react/pull/32708, prefer the less permissive `pull_request` trigger instead. --- .github/workflows/analyze.yml | 4 +++- .github/workflows/analyze_comment.yml | 4 +++- .github/workflows/discord_notify.yml | 7 ++++++- .github/workflows/label_core_team_prs.yml | 12 +++++++++++- .github/workflows/site_lint.yml | 4 +++- 5 files changed, 26 insertions(+), 5 deletions(-) diff --git a/.github/workflows/analyze.yml b/.github/workflows/analyze.yml index b1ef428d0c..13c9c844af 100644 --- a/.github/workflows/analyze.yml +++ b/.github/workflows/analyze.yml @@ -7,6 +7,8 @@ on: - main # change this if your default branch is named differently workflow_dispatch: +permissions: {} + jobs: analyze: runs-on: ubuntu-latest @@ -23,7 +25,7 @@ jobs: - name: Restore cached node_modules uses: actions/cache@v4 with: - path: "**/node_modules" + path: '**/node_modules' key: node_modules-${{ runner.arch }}-${{ runner.os }}-${{ hashFiles('yarn.lock') }} - name: Install deps diff --git a/.github/workflows/analyze_comment.yml b/.github/workflows/analyze_comment.yml index 5a3047cfc8..7e5a24d042 100644 --- a/.github/workflows/analyze_comment.yml +++ b/.github/workflows/analyze_comment.yml @@ -2,10 +2,12 @@ name: Analyze Bundle (Comment) on: workflow_run: - workflows: ["Analyze Bundle"] + workflows: ['Analyze Bundle'] types: - completed +permissions: {} + jobs: comment: runs-on: ubuntu-latest diff --git a/.github/workflows/discord_notify.yml b/.github/workflows/discord_notify.yml index a4b8c9137b..a553b23a03 100644 --- a/.github/workflows/discord_notify.yml +++ b/.github/workflows/discord_notify.yml @@ -1,12 +1,17 @@ name: Discord Notify on: - pull_request_target: + pull_request: types: [opened, ready_for_review] +permissions: {} + jobs: check_maintainer: uses: facebook/react/.github/workflows/shared_check_maintainer.yml@main + permissions: + # Used by check_maintainer + contents: read with: actor: ${{ github.event.pull_request.user.login }} is_remote: true diff --git a/.github/workflows/label_core_team_prs.yml b/.github/workflows/label_core_team_prs.yml index 3d9fa2be17..6099b8fcbf 100644 --- a/.github/workflows/label_core_team_prs.yml +++ b/.github/workflows/label_core_team_prs.yml @@ -1,7 +1,9 @@ name: Label Core Team PRs on: - pull_request_target: + pull_request: + +permissions: {} env: TZ: /usr/share/zoneinfo/America/Los_Angeles @@ -11,6 +13,9 @@ env: jobs: check_maintainer: uses: facebook/react/.github/workflows/shared_check_maintainer.yml@main + permissions: + # Used by check_maintainer + contents: read with: actor: ${{ github.event.pull_request.user.login }} is_remote: true @@ -19,6 +24,11 @@ jobs: if: ${{ needs.check_maintainer.outputs.is_core_team == 'true' }} runs-on: ubuntu-latest needs: check_maintainer + permissions: + # Used to add labels on issues + issues: write + # Used to add labels on PRs + pull-requests: write steps: - name: Label PR as React Core Team uses: actions/github-script@v7 diff --git a/.github/workflows/site_lint.yml b/.github/workflows/site_lint.yml index 36f7642c9e..81a04601c2 100644 --- a/.github/workflows/site_lint.yml +++ b/.github/workflows/site_lint.yml @@ -7,6 +7,8 @@ on: pull_request: types: [opened, synchronize, reopened] +permissions: {} + jobs: lint: runs-on: ubuntu-latest @@ -25,7 +27,7 @@ jobs: - name: Restore cached node_modules uses: actions/cache@v4 with: - path: "**/node_modules" + path: '**/node_modules' key: node_modules-${{ runner.arch }}-${{ runner.os }}-${{ hashFiles('yarn.lock') }} - name: Install deps From f6d762cbbf958ca45bb8d1d011b31e5289e43a3d Mon Sep 17 00:00:00 2001 From: lauren Date: Fri, 21 Mar 2025 16:32:50 -0400 Subject: [PATCH 2/3] [ci] Pin 3rd party actions to specific hash (#7690) * [ci] Fix permissions and don't use pull_request_target Defaults permissions to none for all workflows, and only request extra permissions when needed. Similar to https://github.com/facebook/react/pull/32708, prefer the less permissive `pull_request` trigger instead. * [ci] Pin 3rd party actions to specific hash --- .github/workflows/analyze.yml | 2 +- .github/workflows/analyze_comment.yml | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/analyze.yml b/.github/workflows/analyze.yml index 13c9c844af..83e7f2e8a9 100644 --- a/.github/workflows/analyze.yml +++ b/.github/workflows/analyze.yml @@ -57,7 +57,7 @@ jobs: name: bundle_analysis.json - name: Download base branch bundle stats - uses: dawidd6/action-download-artifact@v2 + uses: dawidd6/action-download-artifact@268677152d06ba59fcec7a7f0b5d961b6ccd7e1e if: success() && github.event.number with: workflow: analyze.yml diff --git a/.github/workflows/analyze_comment.yml b/.github/workflows/analyze_comment.yml index 7e5a24d042..1e086b9b70 100644 --- a/.github/workflows/analyze_comment.yml +++ b/.github/workflows/analyze_comment.yml @@ -16,7 +16,7 @@ jobs: github.event.workflow_run.conclusion == 'success' }} steps: - name: Download base branch bundle stats - uses: dawidd6/action-download-artifact@v2 + uses: dawidd6/action-download-artifact@268677152d06ba59fcec7a7f0b5d961b6ccd7e1e with: workflow: analyze.yml run_id: ${{ github.event.workflow_run.id }} @@ -24,7 +24,7 @@ jobs: path: analysis_comment.txt - name: Download PR number - uses: dawidd6/action-download-artifact@v2 + uses: dawidd6/action-download-artifact@268677152d06ba59fcec7a7f0b5d961b6ccd7e1e with: workflow: analyze.yml run_id: ${{ github.event.workflow_run.id }} @@ -50,7 +50,7 @@ jobs: echo "pr-number=$pr_number" >> $GITHUB_OUTPUT - name: Comment - uses: marocchino/sticky-pull-request-comment@v2 + uses: marocchino/sticky-pull-request-comment@52423e01640425a022ef5fd42c6fb5f633a02728 with: header: next-bundle-analysis number: ${{ steps.get-comment-body.outputs.pr-number }} From 353f3cf3370a323ff9bc2375b95f207e86a0b41d Mon Sep 17 00:00:00 2001 From: Xleine Date: Sun, 23 Mar 2025 15:22:31 +0800 Subject: [PATCH 3/3] fix conflict --- .github/workflows/analyze.yml | 5 ----- .github/workflows/analyze_comment.yml | 10 ---------- 2 files changed, 15 deletions(-) diff --git a/.github/workflows/analyze.yml b/.github/workflows/analyze.yml index e26211caf3..aac640d91d 100644 --- a/.github/workflows/analyze.yml +++ b/.github/workflows/analyze.yml @@ -71,13 +71,8 @@ jobs: name: bundle_analysis.json - name: Download base branch bundle stats -<<<<<<< HEAD - uses: dawidd6/action-download-artifact@v3 - if: success() -======= uses: dawidd6/action-download-artifact@268677152d06ba59fcec7a7f0b5d961b6ccd7e1e if: success() && github.event.number ->>>>>>> f6d762cbbf958ca45bb8d1d011b31e5289e43a3d with: workflow: analyze.yml branch: ${{ github.event.pull_request.base.ref || 'main' }} diff --git a/.github/workflows/analyze_comment.yml b/.github/workflows/analyze_comment.yml index face3db38a..1c061c56fa 100644 --- a/.github/workflows/analyze_comment.yml +++ b/.github/workflows/analyze_comment.yml @@ -27,12 +27,7 @@ jobs: echo "event-type=$event_type" >> $GITHUB_OUTPUT - name: Download base branch bundle stats -<<<<<<< HEAD - if: github.event.workflow_run.conclusion == 'success' && steps.get-type.outputs.event-type == 'pull_request' - uses: dawidd6/action-download-artifact@v3 -======= uses: dawidd6/action-download-artifact@268677152d06ba59fcec7a7f0b5d961b6ccd7e1e ->>>>>>> f6d762cbbf958ca45bb8d1d011b31e5289e43a3d with: workflow: analyze.yml run_id: ${{ github.event.workflow_run.id }} @@ -40,12 +35,7 @@ jobs: path: analysis_comment.txt - name: Download PR number -<<<<<<< HEAD - if: github.event.workflow_run.conclusion == 'success' && steps.get-type.outputs.event-type == 'pull_request' - uses: dawidd6/action-download-artifact@v3 -======= uses: dawidd6/action-download-artifact@268677152d06ba59fcec7a7f0b5d961b6ccd7e1e ->>>>>>> f6d762cbbf958ca45bb8d1d011b31e5289e43a3d with: workflow: analyze.yml run_id: ${{ github.event.workflow_run.id }}