fix-pr-stats#172
Conversation
|
Note Gemini is unable to generate a summary for this pull request due to the file types involved not being currently supported. |
WalkthroughUpdates the GitHub Actions workflow: bumps Go from 1.21 to 1.24, switches outputs to GITHUB_OUTPUT, writes credentials to RUNNER_TEMP with restricted permissions, emits a UTC ISO8601 timestamp, and changes auto-update PR creation (branch, paths, base, and delete-branch settings). Changes
Sequence Diagram(s)sequenceDiagram
autonumber
actor Dev as Developer
participant GH as GitHub Actions
participant Job as pr-stats job
participant Go as Go setup (1.24)
participant FS as Runner FS
participant Out as GITHUB_OUTPUT
participant PR as Create Pull Request
Dev->>GH: push / open PR
GH->>Job: trigger pr-stats workflow
Job->>Go: setup Go 1.24
Job->>FS: write credentials -> $RUNNER_TEMP/google-credentials.json
Job->>FS: chmod 600 $RUNNER_TEMP/google-credentials.json
Job->>Out: echo "credentials_file=$RUNNER_TEMP/google-credentials.json" >> $GITHUB_OUTPUT
Job->>Out: echo "timestamp=YYYY-MM-DDTHH:MM:SSZ" >> $GITHUB_OUTPUT
Job->>PR: create/update PR (branch: auto-update-pr-data, add-paths: data/, base: main, delete-branch: true) using timestamp for title/commit
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20–30 minutes Possibly related PRs
Poem
Pre-merge checks and finishing touches✅ Passed checks (3 passed)
✨ Finishing touches🧪 Generate unit tests
📜 Recent review detailsConfiguration used: CodeRabbit UI Review profile: CHILL Plan: Pro 📒 Files selected for processing (1)
🚧 Files skipped from review as they are similar to previous changes (1)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 0
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
.github/workflows/pr-stats.yml (1)
56-64: Secret leakage risk: credentials file can be committed by the PR-creation step.Writing google-credentials.json into the repo workspace risks accidental inclusion in the commit. Also use printf and restrictive perms.
Apply within this step:
- echo "$GOOGLE_CREDS" > google-credentials.json - echo "credentials_file=google-credentials.json" >> $GITHUB_OUTPUT + CREDENTIALS_FILE="$RUNNER_TEMP/google-credentials.json" + printf '%s' "$GOOGLE_CREDS" > "$CREDENTIALS_FILE" + chmod 600 "$CREDENTIALS_FILE" + echo "credentials_file=$CREDENTIALS_FILE" >> "$GITHUB_OUTPUT"Additionally, constrain files that are committed by the PR step to prevent any secret file from ever being included (change in the “Create Pull Request” step below):
- name: Create Pull Request if: success() uses: peter-evans/create-pull-request@v6 with: token: ${{ secrets.PAT_TOKEN }} + add-paths: | + data/consolidated/*.json + data/monthly/*.json + data/junit5/*.json commit-message: "Update PR data ${{ github.event.schedule == '0 0 2 * *' && 'Monthly' || 'Daily' }} collection (${{ steps.timestamp.outputs.timestamp }})"Optionally, add a pre-PR cleanup step as extra defense:
- name: Cleanup credentials if: always() run: rm -f "$RUNNER_TEMP/google-credentials.json" ./google-credentials.json
🧹 Nitpick comments (2)
.github/workflows/pr-stats.yml (2)
101-102: Emit timestamps in explicit UTC ISO‑8601.Helps sorting and avoids locale ambiguity.
- run: echo "timestamp=$(date '+%Y-%m-%d %H:%M UTC')" >> $GITHUB_OUTPUT + run: echo "timestamp=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" >> "$GITHUB_OUTPUT"
22-22: Pin Go action to patch releases
Use a semVer wildcard to fetch the latest 1.24.x patch. (docs.github.com)- go-version: '1.24' + go-version: '1.24.x'
- Pin Go version to 1.24.x for automatic patch updates
- Use UTC ISO-8601 timestamp format for better sorting and locale consistency
- Secure Google credentials handling by:
- Writing credentials to $RUNNER_TEMP instead of workspace
- Using printf instead of echo for better security
- Setting restrictive 600 permissions on credentials file
- Constrain PR creation to only commit data/ directory files to prevent
accidental credential leakage
These changes address security vulnerabilities where credentials could be
accidentally committed and improve the workflow's reliability with proper
timestamp formatting and dependency pinning.
Summary by CodeRabbit
Chores
Bug Fixes
New Features