From d516932d601c0cf35124b5fd89cedcce51c34131 Mon Sep 17 00:00:00 2001 From: Birk Skyum Date: Thu, 19 Mar 2026 15:59:15 +0100 Subject: [PATCH 1/2] ci: use pull_request_target for pr version preview --- .github/workflows/pr-version-preview.yml | 32 ++++++++++++++++++++++++ .github/workflows/pr.yml | 10 -------- 2 files changed, 32 insertions(+), 10 deletions(-) create mode 100644 .github/workflows/pr-version-preview.yml diff --git a/.github/workflows/pr-version-preview.yml b/.github/workflows/pr-version-preview.yml new file mode 100644 index 0000000..f61d73b --- /dev/null +++ b/.github/workflows/pr-version-preview.yml @@ -0,0 +1,32 @@ +name: Version Preview + +on: + pull_request_target: + +concurrency: + group: ${{ github.workflow }}-${{ github.event.number }} + cancel-in-progress: true + +permissions: + contents: read + pull-requests: write + +jobs: + version-preview: + name: Version Preview + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v6.0.2 + with: + # Check out the PR head so we can read its changeset files. + # IMPORTANT: Do NOT run `pnpm install` or any repo scripts on + # this ref — pull_request_target grants elevated permissions, + # so executing untrusted code would be a security risk. + ref: refs/pull/${{ github.event.number }}/merge + - name: Setup Node + uses: actions/setup-node@v6.3.0 + with: + node-version-file: .nvmrc + - name: Changeset Preview + uses: ./.github/changeset-preview diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml index 872cc94..8a0fd0d 100644 --- a/.github/workflows/pr.yml +++ b/.github/workflows/pr.yml @@ -53,13 +53,3 @@ jobs: uses: danielroe/provenance-action@v0.1.1 with: fail-on-downgrade: true - version-preview: - name: Version Preview - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@v6.0.2 - - name: Setup Tools - uses: ./.github/setup - - name: Changeset Preview - uses: ./.github/changeset-preview From ee4efcbe6d21b5b0354b5588aa935de48d8c67b0 Mon Sep 17 00:00:00 2001 From: Birk Skyum Date: Thu, 19 Mar 2026 16:02:38 +0100 Subject: [PATCH 2/2] ci: pull_request_target --- .github/changeset-preview/action.yml | 6 ++++++ .../preview-changeset-versions.mjs | 4 +++- .github/workflows/pr-version-preview.yml | 19 ++++++++++++------- 3 files changed, 21 insertions(+), 8 deletions(-) diff --git a/.github/changeset-preview/action.yml b/.github/changeset-preview/action.yml index 5f34890..c4c00f8 100644 --- a/.github/changeset-preview/action.yml +++ b/.github/changeset-preview/action.yml @@ -1,5 +1,9 @@ name: Changeset Preview description: Generates comment on a PR showing expected version impact +inputs: + workspace: + description: Path to the repo checkout to read changesets from. Defaults to GITHUB_WORKSPACE. + required: false runs: using: composite steps: @@ -10,6 +14,8 @@ runs: - name: Preview version bumps shell: bash run: node ${{ github.action_path }}/preview-changeset-versions.mjs --output /tmp/changeset-preview.md + env: + CHANGESET_WORKSPACE: ${{ inputs.workspace }} - name: Post PR comment shell: bash run: | diff --git a/.github/changeset-preview/preview-changeset-versions.mjs b/.github/changeset-preview/preview-changeset-versions.mjs index 4167059..3dd82c6 100644 --- a/.github/changeset-preview/preview-changeset-versions.mjs +++ b/.github/changeset-preview/preview-changeset-versions.mjs @@ -9,7 +9,9 @@ import { resolve } from 'node:path' import { parseArgs } from 'node:util' import getReleasePlan from '@changesets/get-release-plan' -const GITHUB_WORKSPACE = resolve(process.env.GITHUB_WORKSPACE) +const GITHUB_WORKSPACE = resolve( + process.env.CHANGESET_WORKSPACE || process.env.GITHUB_WORKSPACE, +) console.log(`Using workspace: ${GITHUB_WORKSPACE}`) diff --git a/.github/workflows/pr-version-preview.yml b/.github/workflows/pr-version-preview.yml index f61d73b..049f662 100644 --- a/.github/workflows/pr-version-preview.yml +++ b/.github/workflows/pr-version-preview.yml @@ -16,17 +16,22 @@ jobs: name: Version Preview runs-on: ubuntu-latest steps: - - name: Checkout + # First checkout: base branch (trusted) — used for action code + - name: Checkout base + uses: actions/checkout@v6.0.2 + with: + path: base + # Second checkout: PR merge ref — only used to read changeset files + - name: Checkout PR uses: actions/checkout@v6.0.2 with: - # Check out the PR head so we can read its changeset files. - # IMPORTANT: Do NOT run `pnpm install` or any repo scripts on - # this ref — pull_request_target grants elevated permissions, - # so executing untrusted code would be a security risk. ref: refs/pull/${{ github.event.number }}/merge + path: pr - name: Setup Node uses: actions/setup-node@v6.3.0 with: - node-version-file: .nvmrc + node-version-file: base/.nvmrc - name: Changeset Preview - uses: ./.github/changeset-preview + uses: ./base/.github/changeset-preview + with: + workspace: ${{ github.workspace }}/pr