From 65852dda0ada3c2c4d9e3ea2e8042f705a0ce955 Mon Sep 17 00:00:00 2001 From: Paul Mars Date: Wed, 8 Apr 2026 14:31:46 +0200 Subject: [PATCH 1/5] fix(ci): record and use the PR number to post the comment --- .github/workflows/comment-perf.yaml | 14 +++++++++----- .github/workflows/performance.yaml | 13 ++++++++----- 2 files changed, 17 insertions(+), 10 deletions(-) diff --git a/.github/workflows/comment-perf.yaml b/.github/workflows/comment-perf.yaml index a6ad2e02..075d3611 100644 --- a/.github/workflows/comment-perf.yaml +++ b/.github/workflows/comment-perf.yaml @@ -20,14 +20,18 @@ jobs: - name: Download comment uses: actions/download-artifact@v4 with: - name: benchmark-report - path: benchmark-report.txt + name: benchmark-result + path: benchmark-result github-token: ${{ secrets.ROCKSBOT_CHISEL_PR_COMMENTER }} run-id: ${{ github.event.workflow_run.id }} + - name: Read PR number + id: read-pr-number + run: echo "number=$(cat benchmark-result/pr_number)" >> $GITHUB_OUTPUT + - name: Post message to PR - uses: mshick/add-pr-comment@dd126dd8c253650d181ad9538d8b4fa218fc31e8 + uses: mshick/add-pr-comment@dd126dd8c253650d181ad9538d8b4fa218fc31e8 # v2 with: - message-path: benchmark-report.txt - issue: ${{ github.event.workflow_run.pull_requests[0].number }} + message-path: benchmark-result/report.md + issue: ${{ steps.read-pr-number.outputs.number }} repo-token: ${{ secrets.ROCKSBOT_CHISEL_PR_COMMENTER }} diff --git a/.github/workflows/performance.yaml b/.github/workflows/performance.yaml index 1d9c7063..a79bf1b6 100644 --- a/.github/workflows/performance.yaml +++ b/.github/workflows/performance.yaml @@ -65,14 +65,17 @@ jobs: - name: Run benchmark id: benchmark run: | - msg_file="$(mktemp)" - echo "msg_file=$msg_file" >> $GITHUB_OUTPUT chmod +x base head - hyperfine --export-markdown "$msg_file" "./base info --release ./chisel-releases 'python3.12_core'" -n "BASE" "./head info --release ./chisel-releases 'python3.12_core'" -n "HEAD" + hyperfine --export-markdown report.md "./base info --release ./chisel-releases 'python3.12_core'" -n "BASE" "./head info --release ./chisel-releases 'python3.12_core'" -n "HEAD" + + - name: Save PR number + run: echo "${{ github.event.pull_request.number }}" > pr_number - name: Upload result uses: actions/upload-artifact@v4 with: - name: benchmark-report - path: ${{ steps.benchmark.outputs.msg_file }} + name: benchmark-result + path: | + report.md + pr_number retention-days: 1 From 79e398c02aee92a9c30bccc023a71d5945f315e8 Mon Sep 17 00:00:00 2001 From: Paul Mars Date: Mon, 20 Apr 2026 17:03:44 +0200 Subject: [PATCH 2/5] fix: avoid attacker controlling PR number --- .github/workflows/comment-perf.yaml | 18 +++++++++++------- .github/workflows/performance.yaml | 9 ++------- 2 files changed, 13 insertions(+), 14 deletions(-) diff --git a/.github/workflows/comment-perf.yaml b/.github/workflows/comment-perf.yaml index 075d3611..378604da 100644 --- a/.github/workflows/comment-perf.yaml +++ b/.github/workflows/comment-perf.yaml @@ -20,18 +20,22 @@ jobs: - name: Download comment uses: actions/download-artifact@v4 with: - name: benchmark-result - path: benchmark-result + name: benchmark-report + path: report.md github-token: ${{ secrets.ROCKSBOT_CHISEL_PR_COMMENTER }} run-id: ${{ github.event.workflow_run.id }} - - name: Read PR number - id: read-pr-number - run: echo "number=$(cat benchmark-result/pr_number)" >> $GITHUB_OUTPUT + - name: Get PR number + id: get-pr-number + run: | + PR_NUMBER=$(gh api "repos/${{ github.repository }}/pulls?head=${{ github.event.workflow_run.head_repository.owner.login }}:${{ github.event.workflow_run.head_branch }}&state=open" --jq '.[0].number') + echo "number=$PR_NUMBER" >> $GITHUB_OUTPUT + env: + GH_TOKEN: ${{ secrets.ROCKSBOT_CHISEL_PR_COMMENTER }} - name: Post message to PR uses: mshick/add-pr-comment@dd126dd8c253650d181ad9538d8b4fa218fc31e8 # v2 with: - message-path: benchmark-result/report.md - issue: ${{ steps.read-pr-number.outputs.number }} + message-path: report.md + issue: ${{ steps.get-pr-number.outputs.number }} repo-token: ${{ secrets.ROCKSBOT_CHISEL_PR_COMMENTER }} diff --git a/.github/workflows/performance.yaml b/.github/workflows/performance.yaml index a79bf1b6..f11c676e 100644 --- a/.github/workflows/performance.yaml +++ b/.github/workflows/performance.yaml @@ -68,14 +68,9 @@ jobs: chmod +x base head hyperfine --export-markdown report.md "./base info --release ./chisel-releases 'python3.12_core'" -n "BASE" "./head info --release ./chisel-releases 'python3.12_core'" -n "HEAD" - - name: Save PR number - run: echo "${{ github.event.pull_request.number }}" > pr_number - - name: Upload result uses: actions/upload-artifact@v4 with: - name: benchmark-result - path: | - report.md - pr_number + name: benchmark-report + path: report.md retention-days: 1 From 2658af1fd8c535d42c46fe780c414eb199c4af93 Mon Sep 17 00:00:00 2001 From: Paul Mars Date: Thu, 23 Apr 2026 13:47:04 +0200 Subject: [PATCH 3/5] fix: avoid shell injection --- .github/workflows/comment-perf.yaml | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/.github/workflows/comment-perf.yaml b/.github/workflows/comment-perf.yaml index 378604da..38cafe7d 100644 --- a/.github/workflows/comment-perf.yaml +++ b/.github/workflows/comment-perf.yaml @@ -27,11 +27,20 @@ jobs: - name: Get PR number id: get-pr-number - run: | - PR_NUMBER=$(gh api "repos/${{ github.repository }}/pulls?head=${{ github.event.workflow_run.head_repository.owner.login }}:${{ github.event.workflow_run.head_branch }}&state=open" --jq '.[0].number') - echo "number=$PR_NUMBER" >> $GITHUB_OUTPUT env: GH_TOKEN: ${{ secrets.ROCKSBOT_CHISEL_PR_COMMENTER }} + # The branch name is considered an untrusted input value (under the + # contributor's control), so store it in a variable to avoid shell + # injection. + QUERY_PR: "head:${{ github.event.workflow_run.head_branch }} ${{ github.event.workflow_run.head_sha }}" + # Filters and formats the JSON into a `key=value` string with basic error handling. + JQ_FILTER: >- + .[0] + | if (.number == null) then error("Could not find PR number") end + | "number=\(.number)" + run: | + gh pr list --repo "${{ github.repository }}" --state all --search "${QUERY_PR}" \ + --json number --jq "${JQ_FILTER}" >> "${GITHUB_OUTPUT}" - name: Post message to PR uses: mshick/add-pr-comment@dd126dd8c253650d181ad9538d8b4fa218fc31e8 # v2 From 3d374f4ddea5a886bdc019ba45fa74d1516c4aad Mon Sep 17 00:00:00 2001 From: Paul Mars Date: Fri, 24 Apr 2026 10:09:17 +0200 Subject: [PATCH 4/5] ci: filter PR search by author and sort --- .github/workflows/comment-perf.yaml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/comment-perf.yaml b/.github/workflows/comment-perf.yaml index 38cafe7d..91f4cda5 100644 --- a/.github/workflows/comment-perf.yaml +++ b/.github/workflows/comment-perf.yaml @@ -32,7 +32,9 @@ jobs: # The branch name is considered an untrusted input value (under the # contributor's control), so store it in a variable to avoid shell # injection. - QUERY_PR: "head:${{ github.event.workflow_run.head_branch }} ${{ github.event.workflow_run.head_sha }}" + # In the unlikely case where multiple PRs, on the same branch, from the + # same author exists, the most recent one is selected. + QUERY_PR: "head:${{ github.event.workflow_run.head_branch }} sort:updated-desc author:${{ github.event.workflow_run.head_repository.owner.login }} ${{ github.event.workflow_run.head_sha }}" # Filters and formats the JSON into a `key=value` string with basic error handling. JQ_FILTER: >- .[0] From 95a488d35721a8b7df618c9b3078d59ba3d76bf5 Mon Sep 17 00:00:00 2001 From: Paul Mars Date: Tue, 28 Apr 2026 09:10:03 +0200 Subject: [PATCH 5/5] ci: address review --- .github/workflows/comment-perf.yaml | 6 +++--- .github/workflows/performance.yaml | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/comment-perf.yaml b/.github/workflows/comment-perf.yaml index 91f4cda5..e0576106 100644 --- a/.github/workflows/comment-perf.yaml +++ b/.github/workflows/comment-perf.yaml @@ -21,7 +21,7 @@ jobs: uses: actions/download-artifact@v4 with: name: benchmark-report - path: report.md + path: benchmark-report.md github-token: ${{ secrets.ROCKSBOT_CHISEL_PR_COMMENTER }} run-id: ${{ github.event.workflow_run.id }} @@ -38,7 +38,7 @@ jobs: # Filters and formats the JSON into a `key=value` string with basic error handling. JQ_FILTER: >- .[0] - | if (.number == null) then error("Could not find PR number") end + | if (.number == null) then error("Cannot find PR number") end | "number=\(.number)" run: | gh pr list --repo "${{ github.repository }}" --state all --search "${QUERY_PR}" \ @@ -47,6 +47,6 @@ jobs: - name: Post message to PR uses: mshick/add-pr-comment@dd126dd8c253650d181ad9538d8b4fa218fc31e8 # v2 with: - message-path: report.md + message-path: benchmark-report.md issue: ${{ steps.get-pr-number.outputs.number }} repo-token: ${{ secrets.ROCKSBOT_CHISEL_PR_COMMENTER }} diff --git a/.github/workflows/performance.yaml b/.github/workflows/performance.yaml index f11c676e..30144e65 100644 --- a/.github/workflows/performance.yaml +++ b/.github/workflows/performance.yaml @@ -66,11 +66,11 @@ jobs: id: benchmark run: | chmod +x base head - hyperfine --export-markdown report.md "./base info --release ./chisel-releases 'python3.12_core'" -n "BASE" "./head info --release ./chisel-releases 'python3.12_core'" -n "HEAD" + hyperfine --export-markdown benchmark-report.md "./base info --release ./chisel-releases 'python3.12_core'" -n "BASE" "./head info --release ./chisel-releases 'python3.12_core'" -n "HEAD" - name: Upload result uses: actions/upload-artifact@v4 with: name: benchmark-report - path: report.md + path: benchmark-report.md retention-days: 1