ci: update workflows and extend detect-secrets exclude#10286
Conversation
…from secrets detection - Modified the exclude pattern for the detect-secrets hook to prevent false positives for the component_index.json file located in src/lfx/src/lfx/_assets.
…st handling - Changed the event trigger from `pull_request` to `pull_request_target` to improve security when handling forked pull requests. - Updated conditions for repository checkout and dependency installation to ensure safe execution only for same-repo pull requests. - Adjusted PR comment conditions to reflect the new event trigger, maintaining functionality for both community forks and same-repo updates.
WalkthroughUpdates the GitHub Actions workflow to use pull_request_target and workflow_dispatch with refined conditional steps for checkout, dependency installation, script checks, and PR commenting based on PR origin. Extends detect-secrets pre-commit excludes to ignore the generated component_index.json file. Changes
Sequence Diagram(s)sequenceDiagram
autonumber
actor User as PR Author / Triggerer
participant GH as GitHub Actions
participant WF as update-component-index.yml
participant Repo as Repo (same/fork)
participant PR as Pull Request
User->>GH: Create/Update PR (from same repo or fork)
User->>GH: Or trigger workflow_dispatch
GH->>WF: Start workflow with event context
alt Event: workflow_dispatch
WF->>Repo: Checkout default branch (workflow_dispatch path)
WF->>WF: Install uv and dependencies
WF->>WF: Check script existence
WF->>PR: Post comment (manual run summary)
else Event: pull_request_target
alt Head repo == base repo (same-repo)
WF->>Repo: Checkout PR head (same-repo path)
WF->>WF: Install uv and dependencies
WF->>WF: Check script existence
WF->>PR: Comment as same-repo auto-update
else Head repo != base repo (community fork)
WF->>Repo: Do not checkout PR head
WF->>PR: Comment with community-fork instructions/summary
end
end
note over WF,PR: Conditions guard each step based on event type and repo origin.
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes Possibly related PRs
Suggested labels
Suggested reviewers
Pre-merge checks and finishing touches❌ Failed checks (1 error, 1 warning)
✅ Passed checks (5 passed)
✨ Finishing touches
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
coderabbitai
Bot
changed the title
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 0
🧹 Nitpick comments (7)
.pre-commit-config.yaml (2)
33-33: Anchor the new exclude pattern for consistency and precisionCurrent alternative lacks a start anchor. Use ^ to mirror others and avoid accidental mid-path matches.
- exclude: '(^docs/|^SECURITY\.md$|src/lfx/src/lfx/_assets/component_index\.json$)' + exclude: '(^docs/|^SECURITY\.md$|^src/lfx/src/lfx/_assets/component_index\.json$)'
36-41: Confirm Biome formatting on the generated indexbiome check applies to json and can rewrite the generated component_index.json. If you want to avoid churn, consider excluding that file here as well; otherwise, confirm the generator already outputs Biome-compliant JSON.
.github/workflows/update-component-index.yml (5)
22-35: Add fetch-depth: 0 to ensure git history availabilityYour diagnostics step uses git log/show for prior content. Default checkout depth=1 may hide history. Fetch full history for reliability in both checkout paths.
- name: Checkout repository (PR from same repo only) if: github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name == github.repository uses: actions/checkout@v4 with: repository: ${{ github.event.pull_request.head.repo.full_name }} ref: ${{ github.event.pull_request.head.ref }} token: ${{ secrets.GITHUB_TOKEN }} + fetch-depth: 0 - name: Checkout repository (workflow_dispatch) if: github.event_name == 'workflow_dispatch' uses: actions/checkout@v4 with: token: ${{ secrets.GITHUB_TOKEN }} + fetch-depth: 0
71-109: Change detection is solid; minor robustness nitUse git add -N + git diff on the target file; jq-based metrics are guarded. All good. If you want to ensure stable diffs on JSON, consider normalizing with jq -S before diffing.
110-131: Push loop is fine; consider job-level concurrencyThe retry+rebase loop helps. Add a concurrency group to avoid parallel jobs racing on the same PR branch.
jobs: update-index: runs-on: ubuntu-latest + concurrency: + group: component-index-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true
133-143: Fork PR comment unconditionally posts on matching pathsThis always prompts contributors, which is acceptable. If noise becomes an issue, you could add a label gate (e.g., needs-index) or a manual re-run check before commenting.
24-24: Pin GitHub Actions to commit SHAsFor supply-chain hardening, pin actions/checkout, astral-sh/setup-uv, and actions/github-script to specific commit SHAs instead of major tags.
Also applies to: 32-32, 38-38, 44-44, 134-134, 146-146
📜 Review details
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (2)
.github/workflows/update-component-index.yml(5 hunks).pre-commit-config.yaml(1 hunks)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)
- GitHub Check: Validate PR
🔇 Additional comments (3)
.github/workflows/update-component-index.yml (3)
1-4: Good PR-target security bannerClear guidance and protections against executing fork code. LGTM.
36-48: Conditioning looks correct for PR-target vs forksInstall and script checks only on same-repo PRs or dispatch. Safe and intentional. LGTM.
If you intend to allow same-repo maintainers to run workflow_dispatch on feature branches, consider adding an input for ref and passing it to checkout.
145-266: Nice, informative auto-update commentGood diff summary and SHA display. Optional: guard optional chaining with Node 20 (default for github-script) is fine.
* chore: update pre-commit configuration to exclude specific JSON file from secrets detection - Modified the exclude pattern for the detect-secrets hook to prevent false positives for the component_index.json file located in src/lfx/src/lfx/_assets. * ci: update GitHub Actions workflow to enhance security for pull request handling - Changed the event trigger from `pull_request` to `pull_request_target` to improve security when handling forked pull requests. - Updated conditions for repository checkout and dependency installation to ensure safe execution only for same-repo pull requests. - Adjusted PR comment conditions to reflect the new event trigger, maintaining functionality for both community forks and same-repo updates.
…0286) * chore: update pre-commit configuration to exclude specific JSON file from secrets detection - Modified the exclude pattern for the detect-secrets hook to prevent false positives for the component_index.json file located in src/lfx/src/lfx/_assets. * ci: update GitHub Actions workflow to enhance security for pull request handling - Changed the event trigger from `pull_request` to `pull_request_target` to improve security when handling forked pull requests. - Updated conditions for repository checkout and dependency installation to ensure safe execution only for same-repo pull requests. - Adjusted PR comment conditions to reflect the new event trigger, maintaining functionality for both community forks and same-repo updates.
2 participants
Remove component index from detec-secrets to avoid false positives that are already evaluated on the python files and update the CI workflow to not try to commit to community PR branches.
Summary by CodeRabbit
CI
Chores