ci(workflows): suggest lint fixes via reviewdog#29423
Conversation
github-actions
Bot
added
infra
|
Tip: Review these changes grouped by change (recommended for most PRs), or grouped by feature (for large PRs). |
|
This was discussed in the BCD project meeting on 2026-04-14:
|
Explains the `bcd-linter` review suggestions that CI posts on pull requests when lint fails, and how contributors can apply them.
When inline suggestions are posted, also create or update a single PR comment that links to the Test workflow run and to docs explaining how to apply or push back on the suggestions.
Looks up the lint job's URL from the originating Test workflow run so the sticky PR comment links directly to the lint logs instead of the run overview. Falls back to the workflow run URL if the job lookup returns nothing. Drops the now redundant "Originating workflow run" trailer.
Filters the marker-comment lookup by author (github-actions[bot]) so a spoofed comment from another user starting with the same HTML marker can't be overwritten by the workflow.
github-actions
Bot
added
the
docs
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
|
@ddbeck @Elchi3 How does this comment look? |
There was a problem hiding this comment.
I'm neutral on the message. Anything we can do to tighten this up? Maybe like this?
The lint check found auto-fixable issues. Apply suggested inline changes above (by
bcd-linter) or, to fix all at once, runnpm run lint:fixlocally and commit the result.
| uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 | ||
| with: | ||
| name: lint-results | ||
| path: lint-results |
There was a problem hiding this comment.
Ought we specify the files to be uploaded? Seems potentially risky to upload a whole directory, where someone could upload… whatever they want? (I know it's not terribly likely, but then again my intuitions about what's dangerous about GA is… untrustworthy.)
There was a problem hiding this comment.
The test workflow runs on: pull_request, so it runs the version of the PR, and is under the control of the PR author.
We ignore all other files in the artifact, as we only use the lint.diff file here:
browser-compat-data/.github/workflows/pr-reviewdog.yml
Lines 88 to 94 in 14e8d3e
The only risk is if reviewdog was vulnerable to some input, then an attacker might be able to exfiltrate the GITHUB_TOKEN, with the following permissions:
browser-compat-data/.github/workflows/pr-reviewdog.yml
Lines 10 to 16 in 14e8d3e
The advantage of having a folder artifact is that it retains the file name of the included file.
Tightened it as follows now:
|
4 participants
Summary
Updates the
lintjob of thetestworkflow to runlint:fixin case of failures, capturing the resulting diff in an artifact, which is passed to reviewdog via a new separatepr-reviewdogworkflow.Test results and supporting details
Example for how it looks: caugner#1
Related issues