From 1e9de0a6ed025239356ad1d4010adf88a6b03f17 Mon Sep 17 00:00:00 2001 From: Lauren Tan Date: Mon, 17 Mar 2025 13:40:39 -0400 Subject: [PATCH 1/2] [ci] Don't use third party action to push commits In light of recent third party actions being compromised, let's just push the commit ourselves rather than use a third party action. We already detect if changes are needed, so the step will only run if so. I also added a `dry_run` option to the manual runs of this workflow for testing. --- .../workflows/runtime_commit_artifacts.yml | 41 +++++++++++-------- 1 file changed, 23 insertions(+), 18 deletions(-) diff --git a/.github/workflows/runtime_commit_artifacts.yml b/.github/workflows/runtime_commit_artifacts.yml index 9e60606210f39..6b1cad2245aa6 100644 --- a/.github/workflows/runtime_commit_artifacts.yml +++ b/.github/workflows/runtime_commit_artifacts.yml @@ -16,6 +16,11 @@ on: required: true default: false type: boolean + dry_run: + description: Perform a dry run (run everything except push) + required: true + default: false + type: boolean env: TZ: /usr/share/zoneinfo/America/Los_Angeles @@ -246,16 +251,16 @@ jobs: git status -u - name: Commit changes to branch if: inputs.force == true || steps.check_should_commit.outputs.should_commit == 'true' - uses: stefanzweifel/git-auto-commit-action@v5 - with: - commit_message: | - ${{ github.event.workflow_run.head_commit.message || format('Manual build of {0}', github.event.workflow_run.head_sha || github.sha) }} + run: | + git config --global user.email "${{ format('{0}@users.noreply.github.com', github.triggering_actor) }}" + git config --global user.name "${{ github.triggering_actor }}" - DiffTrain build for [${{ github.event.workflow_run.head_sha || github.sha }}](https://github.com/facebook/react/commit/${{ github.event.workflow_run.head_sha || github.sha }}) - branch: builds/facebook-www - commit_user_name: ${{ github.triggering_actor }} - commit_user_email: ${{ format('{0}@users.noreply.github.com', github.triggering_actor) }} - create_branch: true + git commit -m "${{ github.event.workflow_run.head_commit.message || format('Manual build of {0}', github.event.workflow_run.head_sha || github.sha) }} + + DiffTrain build for [${{ github.event.workflow_run.head_sha || github.sha }}](https://github.com/facebook/react/commit/${{ github.event.workflow_run.head_sha || github.sha }})" || echo "No changes to commit" + - name: Push changes to branch + if: inputs.dry_run == false && (inputs.force == true || steps.check_should_commit.outputs.should_commit == 'true') + run: git push commit_fbsource_artifacts: needs: download_artifacts @@ -413,13 +418,13 @@ jobs: git status - name: Commit changes to branch if: inputs.force == true || steps.check_should_commit.outputs.should_commit == 'true' - uses: stefanzweifel/git-auto-commit-action@v5 - with: - commit_message: | - ${{ github.event.workflow_run.head_commit.message || format('Manual build of {0}', github.event.workflow_run.head_sha || github.sha) }} + run: | + git config --global user.email "${{ format('{0}@users.noreply.github.com', github.triggering_actor) }}" + git config --global user.name "${{ github.triggering_actor }}" + + git commit -m "${{ github.event.workflow_run.head_commit.message || format('Manual build of {0}', github.event.workflow_run.head_sha || github.sha) }} - DiffTrain build for [${{ github.event.workflow_run.head_sha || github.sha }}](https://github.com/facebook/react/commit/${{ github.event.workflow_run.head_sha || github.sha }}) - branch: builds/facebook-fbsource - commit_user_name: ${{ github.triggering_actor }} - commit_user_email: ${{ format('{0}@users.noreply.github.com', github.triggering_actor) }} - create_branch: true + DiffTrain build for [${{ github.event.workflow_run.head_sha || github.sha }}](https://github.com/facebook/react/commit/${{ github.event.workflow_run.head_sha || github.sha }})" || echo "No changes to commit" + - name: Push changes to branch + if: inputs.dry_run == false && (inputs.force == true || steps.check_should_commit.outputs.should_commit == 'true') + run: git push From 4eaaba2003441dcdab5554586cd7820b53e43a8a Mon Sep 17 00:00:00 2001 From: Lauren Tan Date: Mon, 17 Mar 2025 13:58:34 -0400 Subject: [PATCH 2/2] [ci] Pin Discord webhook action to specific commit sha Pins the discord webhook action to `86dc739f3f165f16dadc5666051c367efa1692f4`, which is what the v6 tag points to. --- .github/workflows/compiler_discord_notify.yml | 2 +- .github/workflows/runtime_discord_notify.yml | 2 +- .github/workflows/runtime_releases_from_npm_manual.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/compiler_discord_notify.yml b/.github/workflows/compiler_discord_notify.yml index f81f42b9cb7df..5b46d0f87601f 100644 --- a/.github/workflows/compiler_discord_notify.yml +++ b/.github/workflows/compiler_discord_notify.yml @@ -19,7 +19,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Discord Webhook Action - uses: tsickert/discord-webhook@v6.0.0 + uses: tsickert/discord-webhook@86dc739f3f165f16dadc5666051c367efa1692f4 with: webhook-url: ${{ secrets.COMPILER_DISCORD_WEBHOOK_URL }} embed-author-name: ${{ github.event.pull_request.user.login }} diff --git a/.github/workflows/runtime_discord_notify.yml b/.github/workflows/runtime_discord_notify.yml index e41b1c56405a7..f2be08f904ee2 100644 --- a/.github/workflows/runtime_discord_notify.yml +++ b/.github/workflows/runtime_discord_notify.yml @@ -19,7 +19,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Discord Webhook Action - uses: tsickert/discord-webhook@v6.0.0 + uses: tsickert/discord-webhook@86dc739f3f165f16dadc5666051c367efa1692f4 with: webhook-url: ${{ secrets.DISCORD_WEBHOOK_URL }} embed-author-name: ${{ github.event.pull_request.user.login }} diff --git a/.github/workflows/runtime_releases_from_npm_manual.yml b/.github/workflows/runtime_releases_from_npm_manual.yml index c4675bfb7fd4a..0293696428f65 100644 --- a/.github/workflows/runtime_releases_from_npm_manual.yml +++ b/.github/workflows/runtime_releases_from_npm_manual.yml @@ -44,7 +44,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Discord Webhook Action - uses: tsickert/discord-webhook@v6.0.0 + uses: tsickert/discord-webhook@86dc739f3f165f16dadc5666051c367efa1692f4 with: webhook-url: ${{ secrets.DISCORD_WEBHOOK_URL }} embed-author-name: ${{ github.event.sender.login }}