Skip to content

chore(ci): no more pull_request_target#8992

Open
avivkeller wants to merge 5 commits into
mainfrom
no-target
Open

chore(ci): no more pull_request_target#8992
avivkeller wants to merge 5 commits into
mainfrom
no-target

Conversation

@avivkeller

Copy link
Copy Markdown
Member

No description provided.

Copilot AI review requested due to automatic review settings July 1, 2026 21:30
@avivkeller avivkeller requested a review from a team as a code owner July 1, 2026 21:30
@vercel

vercel Bot commented Jul 1, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
nodejs-org Ready Ready Preview Jul 4, 2026 8:07pm

Request Review

@cursor

cursor Bot commented Jul 1, 2026

Copy link
Copy Markdown

PR Summary

Medium Risk
Workflow permission and comment-posting architecture changed across multiple CI paths; misconfiguration could skip comments or affect fork PRs, though the split trusted/untrusted pattern reduces secret exposure.

Overview
Replaces pull_request_target on Chromatic and Lighthouse with the standard pull_request trigger, and stops posting PR comments from those untrusted workflows. Build and Lighthouse now upload a pr-comment artifact (body + tag); a new Leave Comment workflow runs on workflow_run completion, resolves the PR (including fork HEAD SHA lookup), and posts the markdown via file-path so untrusted content is not interpolated into expressions.

Bundle size reporting moves from the deleted bundle-compare.yml into a compare-bundle-size job on build.yml (PR-only). Stats come from route-bundle-stats.json instead of webpack-stats.json, with base stats fetched via gh run list on the PR base SHA. compare-size/index.mjs now diffs per-route first load uncompressed JS rather than webpack asset sizes.

Chromatic no longer requires the github_actions:pull-request label on PRs; it uses vars.CHROMATIC_PROJECT_TOKEN, bumps chromaui/action to v18, and keeps Dependabot/Crowdin skips.

Reviewed by Cursor Bugbot for commit efab82a. Bugbot is set up for automated code reviews on this repo. Configure here.

Comment on lines +3 to +7
on:
workflow_run:
# Any Workflow that uploads a `pr-comment` artifact should be listed here
workflows: ['Build', 'Lighthouse']
types: [completed]
Comment thread .github/workflows/build.yml
@codecov

codecov Bot commented Jul 1, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 75.41%. Comparing base (b75ea02) to head (efab82a).
⚠️ Report is 1 commits behind head on main.
✅ All tests successful. No failed tests found.

Additional details and impacted files
@@           Coverage Diff           @@
##             main    #8992   +/-   ##
=======================================
  Coverage   75.41%   75.41%           
=======================================
  Files          98       98           
  Lines        8636     8636           
  Branches      318      318           
=======================================
  Hits         6513     6513           
  Misses       2119     2119           
  Partials        4        4           

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

Comment thread .github/workflows/leave-comment.yml

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR removes usage of the privileged pull_request_target trigger in CI workflows and replaces direct PR-commenting with a safer two-workflow pattern: untrusted pull_request workflows serialize comment data into an artifact, and a trusted workflow_run workflow posts the comment after completion.

Changes:

  • Switch Lighthouse and Chromatic workflows from pull_request_target to pull_request and adjust permissions/commenting behavior accordingly.
  • Add a new Leave Comment workflow that downloads a pr-comment artifact on workflow_run completion and posts it to the PR.
  • Replace the standalone bundle-compare workflow_run workflow by integrating bundle comparison into the main Build workflow and emitting a pr-comment artifact.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 6 comments.

Show a summary per file
File Description
.github/workflows/lighthouse.yml Runs Lighthouse in pull_request context and uploads a pr-comment artifact instead of commenting directly.
.github/workflows/leave-comment.yml New trusted workflow_run workflow intended to post PR comments based on downloaded artifacts.
.github/workflows/chromatic.yml Moves Chromatic to pull_request and changes how the Chromatic token is sourced.
.github/workflows/bundle-compare.yml Removes the old standalone bundle compare workflow_run workflow.
.github/workflows/build.yml Adds an in-workflow bundle size comparison job and uploads pr-comment artifacts for trusted commenting.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread .github/workflows/leave-comment.yml
Comment thread .github/workflows/leave-comment.yml Outdated
Comment thread .github/workflows/chromatic.yml
Comment thread .github/workflows/chromatic.yml
Comment thread .github/workflows/build.yml
Comment thread .github/workflows/lighthouse.yml
Comment thread .github/workflows/leave-comment.yml
@avivkeller

Copy link
Copy Markdown
Member Author

Not sure why Next.js didn't generate the stats file... maybe something changed?

@avivkeller

Copy link
Copy Markdown
Member Author

Looks like TURBOPACK_STATS is broken, and has been for some time. @MattIPv4 It's not really idiomatic, but I'm going to update this PR to also fix this.

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes using default effort and found 1 potential issue.

There are 2 total unresolved issues (including 1 from previous review).

Fix All in Cursor

❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.

Reviewed by Cursor Bugbot for commit c075acf. Configure here.

Comment thread .github/workflows/build.yml
Signed-off-by: Aviv Keller <me@aviv.sh>
@avivkeller avivkeller requested a review from a team as a code owner July 4, 2026 20:05
@avivkeller avivkeller requested a review from MattIPv4 July 4, 2026 20:05
Comment on lines +4 to +7
workflow_run:
# Any Workflow that uploads a `pr-comment` artifact should be listed here
workflows: ['Build', 'Lighthouse']
types: [completed]

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This will need a zizmor ignore comment with a justification, please

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants