Alternative preview release flow #613
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,49 @@ | ||
| name: Release Branch | ||
|
|
||
| on: | ||
| workflow_dispatch: | ||
|
|
||
| permissions: {} | ||
|
|
||
| jobs: | ||
| release: | ||
| timeout-minutes: 20 | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| contents: write | ||
| steps: | ||
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | ||
|
Member
There was a problem hiding this comment. how strong guarantees do we have here when it comes to what commit gets actually built and released? a workflow could get queued and also retried later - I feel this might be risky-ish because, I'd assume, it might run against the "current" version of a branch a security researcher emailed me with a description of an atack like this:
It feels like this workflow would be prone to this attack. I know none of those preview builds can truly be trusted - but we should minimize the risks when we can. |
||
| - uses: ./.github/actions/ci-setup | ||
|
|
||
| - run: yarn changeset version --snapshot branch-${{ github.ref_name }} | ||
| env: | ||
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
|
|
||
| - name: Build | ||
| run: yarn build | ||
|
|
||
| - name: Setup Git user | ||
| run: | | ||
| git config --global user.name "github-actions[bot]" | ||
| git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com" | ||
|
|
||
| - name: Release snapshot version | ||
| run: yarn run release:pr | ||
| env: | ||
| GITHUB_REF_NAME: ${{ github.ref_name }} | ||
|
|
||
| - name: Summarize preview release | ||
| run: | | ||
| commit_sha=$(git rev-parse HEAD) | ||
| repository_owner="${{ github.repository_owner }}" | ||
| repository_name="${{ github.event.repository.name }}" | ||
|
|
||
| { | ||
| echo "See the diff for this built version: https://github.com/changesets/action/compare/main...${repository_owner}:${repository_name}:${commit_sha}" | ||
| echo "" | ||
| echo "Use this preview build in a GitHub Actions workflow:" | ||
| echo "" | ||
| echo '```yaml' | ||
| echo " - uses: ${GITHUB_REPOSITORY}@${commit_sha}" | ||
| echo '```' | ||
| } >> "$GITHUB_STEP_SUMMARY" | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit, the "base" workflow is caled publish - perhaps we should rename this one to match the base one more closely?