From 3dd41c25e211bfd5b85a43822ed411419ce5b1c8 Mon Sep 17 00:00:00 2001 From: Martin Booth Date: Thu, 21 May 2026 16:12:03 -0700 Subject: [PATCH] fix: perf+size steps don't run on forks outside of facebook repo --- .github/workflows/benchmarks-comment.yml | 65 ++++++++++++++++++++++++ .github/workflows/benchmarks.yml | 51 +++++++------------ 2 files changed, 84 insertions(+), 32 deletions(-) create mode 100644 .github/workflows/benchmarks-comment.yml diff --git a/.github/workflows/benchmarks-comment.yml b/.github/workflows/benchmarks-comment.yml new file mode 100644 index 00000000..98b2d9d0 --- /dev/null +++ b/.github/workflows/benchmarks-comment.yml @@ -0,0 +1,65 @@ +name: benchmarks-comment + +# https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ + +on: + workflow_run: + workflows: ['benchmarks'] + types: [completed] + +permissions: + pull-requests: write + contents: read + actions: read + +jobs: + comment: + runs-on: ubuntu-latest + if: ${{ github.event.workflow_run.conclusion == 'success' }} + strategy: + fail-fast: false + matrix: + include: + - artifact: benchmarks-size + marker: '' + heading: 'workflow: benchmarks/size' + description: 'Comparison of minified (terser) and compressed (brotli) size results, measured in bytes. Smaller is better.' + - artifact: benchmarks-perf + marker: '' + heading: 'workflow: benchmarks/perf (native)' + description: 'Comparison of performance test results, measured in operations per second. Larger is better.' + steps: + - name: 'Download artifact' + uses: actions/download-artifact@v5 + with: + name: ${{ matrix.artifact }} + github-token: ${{ secrets.GITHUB_TOKEN }} + run-id: ${{ github.event.workflow_run.id }} + - name: 'Read PR number and table' + id: read + run: | + # Validate the PR number is a positive integer to avoid any injection + # via the artifact (artifact contents come from a fork-triggered job). + pr_number="$(cat pr-number.txt | tr -d '[:space:]')" + if ! [[ "$pr_number" =~ ^[0-9]+$ ]]; then + echo "Invalid PR number in artifact: $pr_number" >&2 + exit 1 + fi + echo "pr-number=$pr_number" >> "$GITHUB_OUTPUT" + { + echo 'table<> "$GITHUB_OUTPUT" + - name: 'Post comment' + uses: edumserrano/find-create-or-update-comment@v3 + with: + issue-number: ${{ steps.read.outputs.pr-number }} + body-includes: ${{ matrix.marker }} + comment-author: 'github-actions[bot]' + body: | + ${{ matrix.marker }} + ### ${{ matrix.heading }} + ${{ matrix.description }} + ${{ steps.read.outputs.table }} + edit-mode: replace diff --git a/.github/workflows/benchmarks.yml b/.github/workflows/benchmarks.yml index 5ef0fda3..e9475fd7 100644 --- a/.github/workflows/benchmarks.yml +++ b/.github/workflows/benchmarks.yml @@ -2,6 +2,9 @@ name: benchmarks on: [pull_request] +permissions: + contents: read + jobs: size: runs-on: ubuntu-latest @@ -33,24 +36,16 @@ jobs: npm run size -w benchmarks -- -o ${{ env.PATCH_JSON }} echo "Ran successfully on patch branch" - name: 'Collect results' - id: collect run: | - echo "table<> $GITHUB_OUTPUT - node packages/benchmarks/compare.js ${{ env.BASE_JSON }} ${{ env.PATCH_JSON }} >> markdown - cat markdown >> $GITHUB_OUTPUT - echo "EOF" >> $GITHUB_OUTPUT - - name: 'Post comment' - uses: edumserrano/find-create-or-update-comment@v3 + mkdir -p benchmark-output + echo "${{ github.event.pull_request.number }}" > benchmark-output/pr-number.txt + node packages/benchmarks/compare.js ${{ env.BASE_JSON }} ${{ env.PATCH_JSON }} > benchmark-output/table.md + - name: 'Upload results' + uses: actions/upload-artifact@v4 with: - issue-number: ${{ github.event.pull_request.number }} - body-includes: '' - comment-author: 'github-actions[bot]' - body: | - - ### workflow: benchmarks/size - Comparison of minified (terser) and compressed (brotli) size results, measured in bytes. Smaller is better. - ${{ steps.collect.outputs.table }} - edit-mode: replace + name: benchmarks-size + path: benchmark-output/ + retention-days: 1 perf: runs-on: ubuntu-latest @@ -82,21 +77,13 @@ jobs: npm run perf -w benchmarks -- -o ${{ env.PATCH_JSON }} echo "Ran successfully on patch branch" - name: 'Collect results' - id: collect run: | - echo "table<> $GITHUB_OUTPUT - node packages/benchmarks/compare.js ${{ env.BASE_JSON }} ${{ env.PATCH_JSON }} >> markdown - cat markdown >> $GITHUB_OUTPUT - echo "EOF" >> $GITHUB_OUTPUT - - name: 'Post comment' - uses: edumserrano/find-create-or-update-comment@v3 + mkdir -p benchmark-output + echo "${{ github.event.pull_request.number }}" > benchmark-output/pr-number.txt + node packages/benchmarks/compare.js ${{ env.BASE_JSON }} ${{ env.PATCH_JSON }} > benchmark-output/table.md + - name: 'Upload results' + uses: actions/upload-artifact@v4 with: - issue-number: ${{ github.event.pull_request.number }} - body-includes: '' - comment-author: 'github-actions[bot]' - body: | - - ### workflow: benchmarks/perf (native) - Comparison of performance test results, measured in operations per second. Larger is better. - ${{ steps.collect.outputs.table }} - edit-mode: replace + name: benchmarks-perf + path: benchmark-output/ + retention-days: 1