Skip to content

chore: ci #2690

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Miles-hxy merged 17 commits into from
Nov 1, 2024
Merged

chore: ci #2690

Changes from all commits
Commits
Show all changes
17 commits
Select commit Hold shift + click to select a range
2c93463
chore: use pull request target event
Miles-hxy Nov 1, 2024
a59ebff
chore: use pull request target event
Miles-hxy Nov 1, 2024
0dd3874
chore: use pull request target event
Miles-hxy Nov 1, 2024
6689ea3
chore: use pull request target event
Miles-hxy Nov 1, 2024
a6ab8df
chore: use pull request target event
Miles-hxy Nov 1, 2024
e463e5e
chore: use pull request target event
Miles-hxy Nov 1, 2024
f534e53
chore: ci test
Miles-hxy Nov 1, 2024
5541d2c
chore: ci test
Miles-hxy Nov 1, 2024
43994be
chore: ci test
Miles-hxy Nov 1, 2024
5fc49ec
chore: ci test
Miles-hxy Nov 1, 2024
6d39b5d
chore: ci test
Miles-hxy Nov 1, 2024
0ae20d3
chore: ci test
Miles-hxy Nov 1, 2024
da3caff
Merge branch 'next' into hxy/ci/test
Miles-hxy Nov 1, 2024
f05f54f
chore: ci test
Miles-hxy Nov 1, 2024
5816d7a
chore: ci test
Miles-hxy Nov 1, 2024
7297370
chore: ci test
Miles-hxy Nov 1, 2024
6686ca0
chore: ci test
Miles-hxy Nov 1, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 15 additions & 7 deletions .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,31 +4,39 @@ on:
push:
branches:
- next

- V3.0
pull_request:
branches:
- next

- V3.0
pull_request_target:
types: [opened, synchronize, reopened]
workflow_dispatch:

permissions: write-all
Comment on lines +12 to +16
Copy link
Copy Markdown

@coderabbitai coderabbitai bot Nov 1, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

需要加强工作流程的安全性配置

当前配置存在以下安全隐患:

  1. 使用 pull_request_target 触发器可能导致恶意 PR 中的代码在具有仓库权限的环境中执行
  2. permissions: write-all 权限过于宽泛,违反最小权限原则

建议进行如下修改:

- permissions: write-all
+ permissions:
+   pull-requests: write  # 用于添加标签
+   contents: read       # 用于检出代码
+   security-events: write  # 用于代码扫描结果

  pull_request_target:
    types: [opened, synchronize, reopened]
+   paths-ignore:
+     - '**.md'
+     - 'docs/**'
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
pull_request_target:
types: [opened, synchronize, reopened]
workflow_dispatch:
permissions: write-all
pull_request_target:
types: [opened, synchronize, reopened]
paths-ignore:
- '**.md'
- 'docs/**'
workflow_dispatch:
permissions:
pull-requests: write # 用于添加标签
contents: read # 用于检出代码
security-events: write # 用于代码扫描结果


jobs:
label:
add-label:
Copy link
Copy Markdown

@coderabbitai coderabbitai bot Nov 1, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codebase verification

需要更新 GitHub Token 配置

工作流程中仍在使用 GITHUB_TOKEN,但根据需求应该使用 PERSONAL_ACCESS_TOKEN。具体位置:

  • .github/workflows/ci.yml: 第 24-32 行的标签添加操作使用了 github_token: ${{ secrets.GITHUB_TOKEN }}
  • .github/workflows/issue-close.yml: 也在使用 GITHUB_TOKEN,但这个文件不在当前 PR 的修改范围内
🔗 Analysis chain

请确认访问令牌的使用!

标签添加任务的改进很好,但有以下几点需要注意:

  1. 分支判断逻辑更完善了,添加了对非匹配分支的处理
  2. 根据 PR 描述,应该使用 PERSONAL_ACCESS_TOKEN,但代码中仍在使用 GITHUB_TOKEN

建议验证令牌权限是否满足需求:

Also applies to: 24-32, 35-40

Let me check the actual token usage in these files.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# 检查工作流程中的令牌使用情况
rg -l "GITHUB_TOKEN|PERSONAL_ACCESS_TOKEN" .github/workflows/

Length of output: 122

Script:

#!/bin/bash
# Check token usage in workflow files
rg "GITHUB_TOKEN|PERSONAL_ACCESS_TOKEN" .github/workflows/ -A 2 -B 2

Length of output: 682

runs-on: ubuntu-latest

steps:
- name: Check out the repository
- name: Check out repository
uses: actions/checkout@v4

- name: Determine label
id: determine_label
- name: Determine label based on target branch
id: determine-label
run: |
echo "${{github.event_name}}"
if [[ "${{ github.event.pull_request.base.ref }}" == "next" ]]; then
echo "label=2.x" >> $GITHUB_ENV
elif [[ "${{ github.event.pull_request.base.ref }}" == "V3.0" ]]; then
echo "label=3.x" >> $GITHUB_ENV
else
echo "label=" >> $GITHUB_ENV
fi

- name: Add label to PR
- name: Add label to Pull Request
if: github.event_name == 'pull_request_target' && env.label != ''
uses: actions-ecosystem/action-add-labels@v1
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
Expand Down