chore(ci): no more pull_request_target#8992
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
PR SummaryMedium Risk Overview Bundle size reporting moves from the deleted Chromatic no longer requires the Reviewed by Cursor Bugbot for commit efab82a. Bugbot is set up for automated code reviews on this repo. Configure here. |
| on: | ||
| workflow_run: | ||
| # Any Workflow that uploads a `pr-comment` artifact should be listed here | ||
| workflows: ['Build', 'Lighthouse'] | ||
| types: [completed] |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #8992 +/- ##
=======================================
Coverage 75.41% 75.41%
=======================================
Files 98 98
Lines 8636 8636
Branches 318 318
=======================================
Hits 6513 6513
Misses 2119 2119
Partials 4 4 ☔ View full report in Codecov by Harness. |
There was a problem hiding this comment.
Pull request overview
This PR removes usage of the privileged pull_request_target trigger in CI workflows and replaces direct PR-commenting with a safer two-workflow pattern: untrusted pull_request workflows serialize comment data into an artifact, and a trusted workflow_run workflow posts the comment after completion.
Changes:
- Switch Lighthouse and Chromatic workflows from
pull_request_targettopull_requestand adjust permissions/commenting behavior accordingly. - Add a new
Leave Commentworkflow that downloads apr-commentartifact onworkflow_runcompletion and posts it to the PR. - Replace the standalone bundle-compare
workflow_runworkflow by integrating bundle comparison into the main Build workflow and emitting apr-commentartifact.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 6 comments.
Show a summary per file
| File | Description |
|---|---|
| .github/workflows/lighthouse.yml | Runs Lighthouse in pull_request context and uploads a pr-comment artifact instead of commenting directly. |
| .github/workflows/leave-comment.yml | New trusted workflow_run workflow intended to post PR comments based on downloaded artifacts. |
| .github/workflows/chromatic.yml | Moves Chromatic to pull_request and changes how the Chromatic token is sourced. |
| .github/workflows/bundle-compare.yml | Removes the old standalone bundle compare workflow_run workflow. |
| .github/workflows/build.yml | Adds an in-workflow bundle size comparison job and uploads pr-comment artifacts for trusted commenting. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
Not sure why Next.js didn't generate the stats file... maybe something changed? |
|
Looks like |
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes using default effort and found 1 potential issue.
There are 2 total unresolved issues (including 1 from previous review).
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit c075acf. Configure here.
Signed-off-by: Aviv Keller <me@aviv.sh>
| workflow_run: | ||
| # Any Workflow that uploads a `pr-comment` artifact should be listed here | ||
| workflows: ['Build', 'Lighthouse'] | ||
| types: [completed] |
There was a problem hiding this comment.
This will need a zizmor ignore comment with a justification, please

No description provided.