-
Notifications
You must be signed in to change notification settings - Fork 82
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Does not work with pull_request_target #54
Comments
EDIT: DON'T DO THIS, ITS INSECURE (#54 (comment))
|
After discussing with security at Github and Facebook, my workaround works but is insecure and can lead to the GH token being stolen. https://securitylab.github.com/research/github-actions-preventing-pwn-requests When using So, in its current form, this GH action does not work well for open-source as it can't security work for PRs from forks. To make this work, we need 2 actions:
|
@slorber the conclusion you came to is effectively why I've held off on supporting this 👍 That being said, one of the possibilities that seems worth considering is if there's a way to report information via a check status rather than a PR comment, since those do not require write access to the primary repository. I wasn't able to get this working, but it seems like the right path forward. Thoughts? |
@developit git commit statuses work great for some use-cases but the maintainer would have to check it to see potential size regressions, which will likely remain unseen in many cases. Afaik there's no "warning" status and it's either a success or failure. It would just be a bit more convenient than checking the GH action log directly, but not much. Another possibility is to create a generic package that would expose a lambda, that we can easily deploy to Vercel/Netlify to post the comment. I guess other tools could benefit from this as many try to post comments to PR. |
I don't want to force folks to use an external service - it's a SPOF at best, and a privacy/complexity problem at worst. One of the things I've been pondering is building a generic "post comment" action that accepts a JSON comment payload as an artifact. Then compressed-size-action could produce the "comment description" artifact via |
Yes that should work, also what I suggested by using 2 actions above. FYI we are using this action to post a lighthouse comment, so it can probably be re-used, as long as you provide the message as a string. https://github.com/marocchino/sticky-pull-request-comment
Why JSON instead of string? If this action was able to provide the current comment as a string artifact, I could probably use today the workflow using this action + sticky-pull-request-comment |
Edit: make sure to check my security issue comment here: #54 (comment)
When using pull_request_target, the action compares master against master, instead of comparing master against the PR.
This bug repo PR demonstrates the problem:
#53
I expect changes to be reported in comments according to my changes but no changes were reported.
We can also see the problem in the Action logs:
https://github.com/preactjs/compressed-size-action/runs/1929330272?check_suite_focus=true
The commit hash is used 2 times and is the current HEAD of master:
cc @developit
The text was updated successfully, but these errors were encountered: