Skip to content

chore(ci): no more pull_request_target#8992

Open
avivkeller wants to merge 3 commits into
mainfrom
no-target
Open

chore(ci): no more pull_request_target#8992
avivkeller wants to merge 3 commits into
mainfrom
no-target

Conversation

@avivkeller

Copy link
Copy Markdown
Member

No description provided.

Copilot AI review requested due to automatic review settings July 1, 2026 21:30
@avivkeller avivkeller requested a review from a team as a code owner July 1, 2026 21:30
@vercel

vercel Bot commented Jul 1, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
nodejs-org Ready Ready Preview Jul 4, 2026 3:43am

Request Review

@cursor

cursor Bot commented Jul 1, 2026

Copy link
Copy Markdown

PR Summary

Medium Risk
Workflow architecture changes affect when bundle/Lighthouse/Chromatic run and whether fork PRs get comments; misconfiguration could skip feedback or weaken the split between untrusted runs and comment posting.

Overview
Moves PR feedback workflows off pull_request_target by running untrusted work on pull_request and posting comments from a separate trusted workflow_run job.

Bundle size: Deletes bundle-compare.yml and adds a compare-bundle-size job to build.yml (PR-only) that compares webpack stats against the base branch run, then uploads a pr-comment artifact instead of commenting inline. Base stats lookup now keys off github.event.pull_request.base.sha and build.yml.

Lighthouse: Switches to pull_request, drops pull-requests: write and the in-workflow “Running Lighthouse…” / result comments; formatted output is written to pr-comment/comment.md with tag lighthouse_audit.

Leave Comment (new): On completion of Build or Lighthouse, downloads pr-comment, resolves the PR (including fork HEAD SHA fallback), sanitizes the tag, and posts via file-path so untrusted markdown is not interpolated into expressions.

Chromatic: Uses pull_request (no label-only trigger), runs on ui-components PRs without the github_actions:pull-request label gate, bumps chromaui/action to v18, and reads CHROMATIC_PROJECT_TOKEN from vars instead of secrets.

Reviewed by Cursor Bugbot for commit 27b091a. Bugbot is set up for automated code reviews on this repo. Configure here.

Comment on lines +3 to +7
on:
workflow_run:
# Any Workflow that uploads a `pr-comment` artifact should be listed here
workflows: ['Build', 'Lighthouse']
types: [completed]
Comment thread .github/workflows/build.yml
@codecov

codecov Bot commented Jul 1, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 75.44%. Comparing base (b75ea02) to head (27b091a).
✅ All tests successful. No failed tests found.

Additional details and impacted files
@@            Coverage Diff             @@
##             main    #8992      +/-   ##
==========================================
+ Coverage   75.41%   75.44%   +0.02%     
==========================================
  Files          98       98              
  Lines        8636     8636              
  Branches      318      318              
==========================================
+ Hits         6513     6515       +2     
+ Misses       2119     2117       -2     
  Partials        4        4              

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

Comment thread .github/workflows/leave-comment.yml

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR removes usage of the privileged pull_request_target trigger in CI workflows and replaces direct PR-commenting with a safer two-workflow pattern: untrusted pull_request workflows serialize comment data into an artifact, and a trusted workflow_run workflow posts the comment after completion.

Changes:

  • Switch Lighthouse and Chromatic workflows from pull_request_target to pull_request and adjust permissions/commenting behavior accordingly.
  • Add a new Leave Comment workflow that downloads a pr-comment artifact on workflow_run completion and posts it to the PR.
  • Replace the standalone bundle-compare workflow_run workflow by integrating bundle comparison into the main Build workflow and emitting a pr-comment artifact.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 6 comments.

Show a summary per file
File Description
.github/workflows/lighthouse.yml Runs Lighthouse in pull_request context and uploads a pr-comment artifact instead of commenting directly.
.github/workflows/leave-comment.yml New trusted workflow_run workflow intended to post PR comments based on downloaded artifacts.
.github/workflows/chromatic.yml Moves Chromatic to pull_request and changes how the Chromatic token is sourced.
.github/workflows/bundle-compare.yml Removes the old standalone bundle compare workflow_run workflow.
.github/workflows/build.yml Adds an in-workflow bundle size comparison job and uploads pr-comment artifacts for trusted commenting.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment on lines +18 to +22
leave-comment:
name: Leave Comment
runs-on: ubuntu-latest
permissions:
pull-requests: write
Comment thread .github/workflows/leave-comment.yml Outdated
Comment thread .github/workflows/chromatic.yml
Comment thread .github/workflows/chromatic.yml
Comment thread .github/workflows/build.yml
Comment thread .github/workflows/lighthouse.yml
Comment thread .github/workflows/leave-comment.yml
@avivkeller

Copy link
Copy Markdown
Member Author

Not sure why Next.js didn't generate the stats file... maybe something changed?

@avivkeller

Copy link
Copy Markdown
Member Author

Looks like TURBOPACK_STATS is broken, and has been for some time. @MattIPv4 It's not really idiomatic, but I'm going to update this PR to also fix this.

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes using default effort and found 1 potential issue.

There are 2 total unresolved issues (including 1 from previous review).

Fix All in Cursor

❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.

Reviewed by Cursor Bugbot for commit c075acf. Configure here.

Comment thread .github/workflows/build.yml
Signed-off-by: Aviv Keller <me@aviv.sh>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants