Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
32 changes: 22 additions & 10 deletions .github/actions/ecosystem_ci_dispatch/action.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -35,13 +35,13 @@ inputs:
outputs:
workflow-id:
description: 'ID of the triggered downstream workflow run'
value: ${{ steps.eco_ci.outputs.workflow_id }}
value: ${{ steps.dispatch.outputs.run_id }}
workflow-url:
description: 'URL of the triggered downstream workflow run'
value: ${{ steps.eco_ci.outputs.workflow_url }}
value: ${{ steps.dispatch.outputs.run_url }}
conclusion:
description: 'Conclusion reported by the downstream workflow'
value: ${{ steps.eco_ci.outputs.conclusion }}
value: ${{ steps.eco_ci.outcome }}
summary:
description: 'Formatted markdown summary of downstream job results'
value: ${{ steps.eco-ci-result.outputs.summary }}
Expand Down Expand Up @@ -114,17 +114,29 @@ runs:
})
return comment.id

- id: dispatch
name: Dispatch Ecosystem CI
uses: Codex-/return-dispatch@16fa9d14771c4d56ae0196bbda1d3c17f7f3650f # v3.0.2
continue-on-error: true
with:
token: ${{ inputs.github-token }}
ref: ci/dockerless-workflow-dispatch
owner: rstackjs
repo: rstack-ecosystem-ci
workflow: ${{ inputs.workflow-file }}
workflow_inputs: ${{ inputs.client-payload }}

Comment on lines +117 to +128

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🗄️ Data Integrity & Integration | 🟠 Major | ⚡ Quick win

Temporary branch pin on ref breaks the auto-propagation bridge.

ref: ci/dockerless-workflow-dispatch hardcodes the dispatch target to a dev branch instead of main. Per the SHA/ref policy this field is explicitly meant to remain main — pointing it elsewhere breaks the mechanism that lets the third bucket auto-propagate, and diverges from the sibling ecosystem_ci_per_commit/action.yaml, which correctly keeps ref: 'main' (line 53). This is already called out as WIP in the commit history, but as staged it would ship a broken/diverged config.

🔧 Proposed fix
       with:
         token: ${{ inputs.github-token }}
-        ref: ci/dockerless-workflow-dispatch
+        ref: main
         owner: rstackjs

As per coding guidelines, "Do not parameterize ref: main in trigger-workflow-and-wait — it is the bridge that makes the third bucket auto-propagate" and "When fixing a bug or adding a feature to one stack's workflows or shared actions, check whether the same issue or gap exists in the other stacks and apply the fix uniformly."

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- id: dispatch
name: Dispatch Ecosystem CI
uses: Codex-/return-dispatch@16fa9d14771c4d56ae0196bbda1d3c17f7f3650f # v3.0.2
continue-on-error: true
with:
token: ${{ inputs.github-token }}
ref: ci/dockerless-workflow-dispatch
owner: rstackjs
repo: rstack-ecosystem-ci
workflow: ${{ inputs.workflow-file }}
workflow_inputs: ${{ inputs.client-payload }}
- id: dispatch
name: Dispatch Ecosystem CI
uses: Codex-/return-dispatch@16fa9d14771c4d56ae0196bbda1d3c17f7f3650f # v3.0.2
continue-on-error: true
with:
token: ${{ inputs.github-token }}
ref: main
owner: rstackjs
repo: rstack-ecosystem-ci
workflow: ${{ inputs.workflow-file }}
workflow_inputs: ${{ inputs.client-payload }}
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/actions/ecosystem_ci_dispatch/action.yaml around lines 117 - 128,
The Dispatch Ecosystem CI action is hardcoded to a temporary branch on the
dispatch target ref, which breaks the auto-propagation bridge. Update the
dispatch step in ecosystem_ci_dispatch/action.yaml so the ref stays on main,
matching the sibling ecosystem_ci_per_commit/action.yaml and the SHA/ref policy,
and do not parameterize or override that ref in the trigger-workflow-and-wait
flow.

Source: Coding guidelines

- id: eco_ci
name: Run Ecosystem CI
uses: convictional/trigger-workflow-and-wait@f69fa9eedd3c62a599220f4d5745230e237904be # v1.6.5
name: Await Ecosystem CI
uses: Codex-/await-remote-run@2512346665df8818ec7ad6aca3cdceb7626cd384 # v2.0.0
continue-on-error: true
with:
token: ${{ inputs.github-token }}
owner: rstackjs
repo: rstack-ecosystem-ci
workflow_file_name: ${{ inputs.workflow-file }}
ref: main
github_token: ${{ inputs.github-token }}
client_payload: ${{ inputs.client-payload }}
run_id: ${{ steps.dispatch.outputs.run_id }}
run_timeout_seconds: 10800
poll_interval_ms: 30000

- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
Expand All @@ -137,7 +149,7 @@ runs:
with:
job-prefix: ${{ inputs.job-name-prefix }}
heading: ${{ inputs.ecosystem-repo }}
workflow-output: ${{ toJson(steps.eco_ci.outputs) }}
workflow-output: '{"run_id": "${{ steps.dispatch.outputs.run_id }}"}'

- id: update-comment
name: Update Comment
Expand Down
32 changes: 22 additions & 10 deletions .github/actions/ecosystem_ci_per_commit/action.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -27,13 +27,13 @@ inputs:
outputs:
workflow-id:
description: 'ID of the triggered downstream workflow run'
value: ${{ steps.eco_ci.outputs.workflow_id }}
value: ${{ steps.dispatch.outputs.run_id }}
workflow-url:
description: 'URL of the triggered downstream workflow run'
value: ${{ steps.eco_ci.outputs.workflow_url }}
value: ${{ steps.dispatch.outputs.run_url }}
conclusion:
description: 'Conclusion reported by the downstream workflow'
value: ${{ steps.eco_ci.outputs.conclusion }}
value: ${{ steps.eco_ci.outcome }}
summary:
description: 'Formatted markdown summary of downstream job results'
value: ${{ steps.eco-ci-result.outputs.summary }}
Expand All @@ -44,25 +44,37 @@ outputs:
runs:
using: composite
steps:
- name: Run Ecosystem CI with notify
- name: Dispatch Ecosystem CI
id: dispatch
continue-on-error: true
uses: Codex-/return-dispatch@16fa9d14771c4d56ae0196bbda1d3c17f7f3650f # v3.0.2
with:
token: ${{ inputs.github-token }}
ref: 'main'
owner: rstackjs
repo: rstack-ecosystem-ci
workflow: ${{ inputs.workflow-file }}
workflow_inputs: ${{ inputs.client-payload }}

- name: Await Ecosystem CI
id: eco_ci
continue-on-error: true
uses: convictional/trigger-workflow-and-wait@f69fa9eedd3c62a599220f4d5745230e237904be # v1.6.5
uses: Codex-/await-remote-run@2512346665df8818ec7ad6aca3cdceb7626cd384 # v2.0.0
with:
token: ${{ inputs.github-token }}
owner: rstackjs
repo: rstack-ecosystem-ci
workflow_file_name: ${{ inputs.workflow-file }}
github_token: ${{ inputs.github-token }}
ref: 'main'
client_payload: ${{ inputs.client-payload }}
run_id: ${{ steps.dispatch.outputs.run_id }}
run_timeout_seconds: 10800
poll_interval_ms: 30000

- name: Get CI Result
id: eco-ci-result
uses: rstackjs/rstack-ecosystem-ci/.github/actions/ecosystem-ci-result@3cbb84659edaf3713e10831715d39de0d5c02df7 # main
with:
job-prefix: ${{ inputs.job-name-prefix }}
heading: ${{ inputs.ecosystem-repo }}
workflow-output: ${{ toJson(steps.eco_ci.outputs) }}
workflow-output: '{"run_id": "${{ steps.dispatch.outputs.run_id }}"}'

- id: create-commit-comment
uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9
Expand Down
14 changes: 14 additions & 0 deletions .github/workflows/rspack-ecosystem-ci-from-pr.yml
Original file line number Diff line number Diff line change
Expand Up @@ -55,8 +55,22 @@ on:
required: true
type: string
default: 'precoded'
distinct_id:
description: 'Distinct ID injected by return-dispatch to identify this run'
required: false
type: string
default: ''

jobs:
return-dispatch-id:
name: Return Dispatch ID
runs-on: ubuntu-latest
steps:
- name: Return Dispatch ID ${{ inputs.distinct_id }}
run: echo "${DISTINCT_ID}"
env:
DISTINCT_ID: ${{ inputs.distinct_id }}

Comment on lines 64 to +73

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟡 Minor | ⚡ Quick win

Add explicit least-privilege permissions to the new job.

zizmor flags this job for using default (overly broad) permissions since no permissions: block is declared. This job only needs to echo a string, so it should not inherit the workflow's default token scope.

🔒 Proposed fix
   return-dispatch-id:
     name: Return Dispatch ID
     runs-on: ubuntu-latest
+    permissions: {}
     steps:
       - name: Return Dispatch ID ${{ inputs.distinct_id }}
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
jobs:
return-dispatch-id:
name: Return Dispatch ID
runs-on: ubuntu-latest
steps:
- name: Return Dispatch ID ${{ inputs.distinct_id }}
run: echo "${DISTINCT_ID}"
env:
DISTINCT_ID: ${{ inputs.distinct_id }}
jobs:
return-dispatch-id:
name: Return Dispatch ID
runs-on: ubuntu-latest
permissions: {}
steps:
- name: Return Dispatch ID ${{ inputs.distinct_id }}
run: echo "${DISTINCT_ID}"
env:
DISTINCT_ID: ${{ inputs.distinct_id }}
🧰 Tools
🪛 zizmor (1.26.1)

[warning] 65-72: overly broad permissions (excessive-permissions): default permissions used due to no permissions: block

(excessive-permissions)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/rspack-ecosystem-ci-from-pr.yml around lines 64 - 73, Add
an explicit permissions block to the return-dispatch-id job so it does not
inherit the workflow’s default token scope. Update the job definition for
return-dispatch-id in rspack-ecosystem-ci-from-pr.yml to set least-privilege
permissions appropriate for a step that only echoes DISTINCT_ID, and keep the
change localized to that job.

Source: Linters/SAST tools

get-runner-labels:
name: Get Runner Labels
uses: ./.github/workflows/get-runner-labels.yml
Expand Down
Loading