Skip to content

fix(ci): harden test262 PR workflow security#5159

Merged
jedel1043 merged 1 commit intoboa-dev:mainfrom
iammdzaidalam:fix-test262-workflow-security
Mar 19, 2026
Merged

fix(ci): harden test262 PR workflow security#5159
jedel1043 merged 1 commit intoboa-dev:mainfrom
iammdzaidalam:fix-test262-workflow-security

Conversation

@iammdzaidalam
Copy link
Contributor

@iammdzaidalam iammdzaidalam commented Mar 19, 2026

Closes #5158.

This replaces the old test262_pr.yml flow with a safer two-phase setup:

  • test262.yml: runs under pull_request with minimal permissions and executes the test262 suite on PR code
  • test262_comment.yml: runs under workflow_run in the base repository context and updates the PR comment from an uploaded artifact

Main changes:

  • remove untrusted execution from pull_request_target
  • disable persisted checkout credentials in the run workflow
  • keep the trusted comment workflow isolated from PR code
  • pass results through an artifact and use body-path for comment updates

This preserves the reporting behavior while avoiding execution of PR code in a privileged workflow context.

@iammdzaidalam iammdzaidalam requested a review from a team as a code owner March 19, 2026 12:03
@github-actions github-actions bot added Waiting On Review Waiting on reviews from the maintainers and removed Waiting On Review Waiting on reviews from the maintainers labels Mar 19, 2026
@github-actions github-actions bot added this to the v1.0.0 milestone Mar 19, 2026
@github-actions github-actions bot added C-Tests Issues and PRs related to the tests. C-Builtins PRs and Issues related to builtins/intrinsics C-Actions Pull requests that update Github Actions code labels Mar 19, 2026
@github-actions
Copy link

github-actions bot commented Mar 19, 2026
edited
Loading

Test262 conformance changes

Test result main count PR count difference
Total 52,963 52,963 0
Passed 50,079 50,079 0
Ignored 2,072 2,072 0
Failed 812 812 0
Panics 0 0 0
Conformance 94.55% 94.55% 0.00%

Tested main commit: 26271b7c3f6f357f12fd835a0402d8b643f03db5
Tested PR commit: 1dd231995579d60b4b5108fbf3d3cbb9e77614eb
Compare commits: 26271b7...1dd2319

@iammdzaidalam iammdzaidalam force-pushed the fix-test262-workflow-security branch from 954fff6 to d17cfcc Compare March 19, 2026 12:20
@github-actions github-actions bot added the Waiting On Review Waiting on reviews from the maintainers label Mar 19, 2026
@iammdzaidalam iammdzaidalam force-pushed the fix-test262-workflow-security branch from d17cfcc to 1dd2319 Compare March 19, 2026 12:41
@codecov
Copy link

codecov bot commented Mar 19, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 59.56%. Comparing base (6ddc2b4) to head (1dd2319).
⚠️ Report is 894 commits behind head on main.

Additional details and impacted files 
@@             Coverage Diff             @@
##             main    #5159       +/-   ##
===========================================
+ Coverage   47.24%   59.56%   +12.31%     
===========================================
  Files         476      580      +104     
  Lines       46892    63236    +16344     
===========================================
+ Hits        22154    37665    +15511     
- Misses      24738    25571      +833

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@jedel1043 jedel1043 mentioned this pull request Mar 19, 2026
Merged
jedel1043
jedel1043 approved these changes Mar 19, 2026
View reviewed changes
Copy link
Member

@jedel1043 jedel1043 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cool, thanks

@jedel1043 jedel1043 added this pull request to the merge queue Mar 19, 2026
@jedel1043 jedel1043 added the A-Meta Issues and PRs related to the repository itself label Mar 19, 2026
Merged via the queue into boa-dev:main with commit c9aaad1 Mar 19, 2026
23 checks passed
@github-actions github-actions bot removed the Waiting On Review Waiting on reviews from the maintainers label Mar 19, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jedel1043 jedel1043 jedel1043 approved these changes

Assignees

No one assigned

Labels

A-Meta Issues and PRs related to the repository itself C-Actions Pull requests that update Github Actions code C-Builtins PRs and Issues related to builtins/intrinsics C-Tests Issues and PRs related to the tests.

Projects

None yet

Milestone

v1.0.0

Development

Successfully merging this pull request may close these issues.

test262_pr workflow runs untrusted code under pull_request_target

2 participants

@iammdzaidalam @jedel1043