Skip to content

fix-pr-stats#172

Merged
gounthar merged 4 commits into
mainfrom
fix-pr-stats
Sep 23, 2025
Merged

fix-pr-stats#172
gounthar merged 4 commits into
mainfrom
fix-pr-stats

Conversation

@gounthar

@gounthar gounthar commented Sep 22, 2025

Copy link
Copy Markdown
Owner

Summary by CodeRabbit

  • Chores

    • Upgraded the Go toolchain used in CI for improved compatibility and support.
    • Improved CI credentials handling to a more secure temporary-file approach and modern output handling.
    • Standardized timestamps in CI to UTC ISO 8601 for consistent metadata.
    • Enhanced automated PR creation in CI with expanded metadata and data-path inclusion; it now auto-manages the update branch.
  • Bug Fixes

    • None
  • New Features

    • None

@gemini-code-assist

Copy link
Copy Markdown
Contributor

Note

Gemini is unable to generate a summary for this pull request due to the file types involved not being currently supported.

@coderabbitai

coderabbitai Bot commented Sep 22, 2025

Copy link
Copy Markdown
Contributor

Walkthrough

Updates the GitHub Actions workflow: bumps Go from 1.21 to 1.24, switches outputs to GITHUB_OUTPUT, writes credentials to RUNNER_TEMP with restricted permissions, emits a UTC ISO8601 timestamp, and changes auto-update PR creation (branch, paths, base, and delete-branch settings).

Changes

Cohort / File(s) Summary
CI workflow: pr-stats
.github/workflows/pr-stats.yml
- Update Go toolchain 1.21 → 1.24
- Write credentials to $RUNNER_TEMP/google-credentials.json and chmod 600 instead of echoing to repo file
- Emit credentials_file=$RUNNER_TEMP/google-credentials.json via GITHUB_OUTPUT (replace set-output)
- Generate UTC ISO 8601 timestamp (date -u +'%Y-%m-%dT%H:%M:%SZ') and write to GITHUB_OUTPUT
- Create/update PR with branch: auto-update-pr-data, delete-branch: true, base: main, and add-paths: data/; commit-message/title use the timestamp

Sequence Diagram(s)

sequenceDiagram
  autonumber
  actor Dev as Developer
  participant GH as GitHub Actions
  participant Job as pr-stats job
  participant Go as Go setup (1.24)
  participant FS as Runner FS
  participant Out as GITHUB_OUTPUT
  participant PR as Create Pull Request

  Dev->>GH: push / open PR
  GH->>Job: trigger pr-stats workflow
  Job->>Go: setup Go 1.24
  Job->>FS: write credentials -> $RUNNER_TEMP/google-credentials.json
  Job->>FS: chmod 600 $RUNNER_TEMP/google-credentials.json
  Job->>Out: echo "credentials_file=$RUNNER_TEMP/google-credentials.json" >> $GITHUB_OUTPUT
  Job->>Out: echo "timestamp=YYYY-MM-DDTHH:MM:SSZ" >> $GITHUB_OUTPUT
  Job->>PR: create/update PR (branch: auto-update-pr-data, add-paths: data/, base: main, delete-branch: true) using timestamp for title/commit
Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20–30 minutes

Possibly related PRs

Poem

I nibble bytes at midnight's gate,
Bumped Go forward, set the date.
Credentials snug in temp's warm lair,
GITHUB_OUTPUT keeps them there.
A rabbit cheers — the PRs take flight. 🐇✨

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check ✅ Passed The PR title "fix-pr-stats" is directly related to the changes in .github/workflows/pr-stats.yml and succinctly signals an intent to fix PR statistics automation, so it reflects the main change in the changeset. The title is concise but terse and omits specifics (e.g., Go toolchain upgrade, credential handling, timestamp format), though it still meaningfully points reviewers to the workflow update.
Docstring Coverage ✅ Passed No functions found in the changes. Docstring coverage check skipped.
✨ Finishing touches
🧪 Generate unit tests
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch fix-pr-stats

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between b815d1c and 38219f7.

📒 Files selected for processing (1)
  • .github/workflows/pr-stats.yml (3 hunks)
🚧 Files skipped from review as they are similar to previous changes (1)
  • .github/workflows/pr-stats.yml

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 0

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
.github/workflows/pr-stats.yml (1)

56-64: Secret leakage risk: credentials file can be committed by the PR-creation step.

Writing google-credentials.json into the repo workspace risks accidental inclusion in the commit. Also use printf and restrictive perms.

Apply within this step:

-          echo "$GOOGLE_CREDS" > google-credentials.json
-          echo "credentials_file=google-credentials.json" >> $GITHUB_OUTPUT
+          CREDENTIALS_FILE="$RUNNER_TEMP/google-credentials.json"
+          printf '%s' "$GOOGLE_CREDS" > "$CREDENTIALS_FILE"
+          chmod 600 "$CREDENTIALS_FILE"
+          echo "credentials_file=$CREDENTIALS_FILE" >> "$GITHUB_OUTPUT"

Additionally, constrain files that are committed by the PR step to prevent any secret file from ever being included (change in the “Create Pull Request” step below):

       - name: Create Pull Request
         if: success()
         uses: peter-evans/create-pull-request@v6
         with:
           token: ${{ secrets.PAT_TOKEN }}
+          add-paths: |
+            data/consolidated/*.json
+            data/monthly/*.json
+            data/junit5/*.json
           commit-message: "Update PR data ${{ github.event.schedule == '0 0 2 * *' && 'Monthly' || 'Daily' }} collection (${{ steps.timestamp.outputs.timestamp }})"

Optionally, add a pre-PR cleanup step as extra defense:

- name: Cleanup credentials
  if: always()
  run: rm -f "$RUNNER_TEMP/google-credentials.json" ./google-credentials.json
🧹 Nitpick comments (2)
.github/workflows/pr-stats.yml (2)

101-102: Emit timestamps in explicit UTC ISO‑8601.

Helps sorting and avoids locale ambiguity.

-        run: echo "timestamp=$(date '+%Y-%m-%d %H:%M UTC')" >> $GITHUB_OUTPUT
+        run: echo "timestamp=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" >> "$GITHUB_OUTPUT"

22-22: Pin Go action to patch releases
Use a semVer wildcard to fetch the latest 1.24.x patch. (docs.github.com)

- go-version: '1.24'
+ go-version: '1.24.x'
📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between db29e2b and b815d1c.

📒 Files selected for processing (1)
  • .github/workflows/pr-stats.yml (2 hunks)

  - Pin Go version to 1.24.x for automatic patch updates
  - Use UTC ISO-8601 timestamp format for better sorting and locale consistency
  - Secure Google credentials handling by:
    - Writing credentials to $RUNNER_TEMP instead of workspace
    - Using printf instead of echo for better security
    - Setting restrictive 600 permissions on credentials file
  - Constrain PR creation to only commit data/ directory files to prevent
    accidental credential leakage

  These changes address security vulnerabilities where credentials could be
  accidentally committed and improve the workflow's reliability with proper
  timestamp formatting and dependency pinning.
@gounthar gounthar merged commit 5b4da89 into main Sep 23, 2025
7 of 8 checks passed
@gounthar gounthar deleted the fix-pr-stats branch September 23, 2025 08:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant