Drop pr-snapshot job

trask · trask · commit 4ebaf41db821 · 2026-05-04T15:00:40.000-07:00
diff --git a/.github/scripts/pr-triage/README.md b/.github/scripts/pr-triage/README.md
@@ -12,17 +12,10 @@ holds a privileged token AND executes PR-controlled code.
 | Job              | Entry point          | Tokens visible                                | PR-controlled code allowed |
 | ---------------- | -------------------- | --------------------------------------------- | -------------------------- |
 | authorize-command| `authorize.py`       | `GITHUB_TOKEN`                                | none (default-branch checkout only) |
-| pr-snapshot      | inline               | `GITHUB_TOKEN`                                | none — `gh pr checkout` + `git bundle`; PR tree never executed |
 | gradle-worker    | `worker_gradle.py`   | `GITHUB_TOKEN`                                | yes — runs `./gradlew` on PR tree |
 | copilot-worker   | `worker_copilot.py`  | `GITHUB_TOKEN`, `COPILOT_GITHUB_TOKEN`        | only Copilot CLI editing files; never `./gradlew` or other build tools |
 | poster           | `poster.py`          | otelbot installation token                    | none — `git`/`gh` on the worker artifact only |
 
-The PR working tree is checked out exactly once, in `pr-snapshot`, which
-holds no privileged secrets. It is exported as a git bundle and consumed
-by the worker jobs via `git fetch <bundle-file>`. This keeps `gh pr
-checkout` (which CodeQL flags as untrusted) out of any job that holds
-the Copilot token.
-
 Invariants (see the comments at the top of each entry-point file):
 
 * `gradle-worker` must never receive `COPILOT_GITHUB_TOKEN` or any other
diff --git a/.github/workflows/pr-triage-comments.yml b/.github/workflows/pr-triage-comments.yml
@@ -32,45 +32,6 @@ jobs:
           GH_TOKEN: ${{ github.token }}
         run: python3 .github/scripts/pr-triage/authorize.py
 
-  # pr-snapshot is the ONLY job that runs `gh pr checkout`. It has no
-  # secrets and only `contents: read`, so the untrusted PR ref is never
-  # combined with a privileged token. The PR tree is exported as a git
-  # bundle and consumed by the worker jobs via `git fetch <file>`, which
-  # CodeQL does not classify as an untrusted checkout.
-  pr-snapshot:
-    needs: authorize-command
-    if: |
-      needs.authorize-command.outputs.allowed == 'true' &&
-      contains(fromJSON('["spotless","update_branch","fix","review"]'), needs.authorize-command.outputs.command)
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-    env:
-      PR_NUMBER: ${{ github.event.issue.number }}
-    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          fetch-depth: 0
-
-      - name: Bundle PR working tree
-        env:
-          GH_TOKEN: ${{ github.token }}
-        run: |
-          gh pr checkout "$PR_NUMBER"
-          mkdir -p "$RUNNER_TEMP/snapshot"
-          # --all so worker jobs see both the PR head and the base
-          # branch (needed by /update-branch). The bundle is consumed
-          # by `git fetch <file>` in the worker jobs; nothing in the
-          # PR tree is executed in this job.
-          git bundle create "$RUNNER_TEMP/snapshot/pr.bundle" --all
-          git rev-parse HEAD > "$RUNNER_TEMP/snapshot/head.txt"
-
-      - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
-        with:
-          name: pr-tree-bundle
-          path: ${{ runner.temp }}/snapshot
-          retention-days: 1
-
   # gradle-worker runs the PR triage commands that need Gradle on the PR's
   # working tree (/spotless, /update-branch, and the deterministic phase of
   # /fix). It does NOT receive the Copilot token, so a malicious build cannot
@@ -81,7 +42,7 @@ jobs:
   # commits and bundles. Otherwise it writes a CI bundle to handoff to
   # copilot-worker and signals needs-copilot=true.
   gradle-worker:
-    needs: [authorize-command, pr-snapshot]
+    needs: authorize-command
     if: |
       needs.authorize-command.outputs.allowed == 'true' &&
       contains(fromJSON('["spotless","update_branch","fix"]'), needs.authorize-command.outputs.command)
@@ -102,17 +63,10 @@ jobs:
           mkdir -p "$RUNNER_TEMP/pr-triage-trusted"
           cp -r .github/scripts/pr-triage/. "$RUNNER_TEMP/pr-triage-trusted/"
 
-      - name: Download PR bundle
-        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
-        with:
-          name: pr-tree-bundle
-          path: ${{ runner.temp }}/pr-snapshot
-
-      - name: Restore PR working tree from bundle
-        run: |
-          HEAD_SHA=$(cat "$RUNNER_TEMP/pr-snapshot/head.txt")
-          git fetch "$RUNNER_TEMP/pr-snapshot/pr.bundle" "+$HEAD_SHA:refs/pr-triage/head"
-          git checkout --detach "refs/pr-triage/head"
+      - name: Check out PR
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: gh pr checkout "$PR_NUMBER"
 
       - name: Set up JDK for running Gradle
         uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0
@@ -155,11 +109,10 @@ jobs:
   # PR-controlled build tooling, so the Copilot token is never reachable
   # by code from the PR working tree.
   copilot-worker:
-    needs: [authorize-command, pr-snapshot, gradle-worker]
+    needs: [authorize-command, gradle-worker]
     if: |
       always() &&
       needs.authorize-command.outputs.allowed == 'true' &&
-      needs.pr-snapshot.result == 'success' &&
       (needs.authorize-command.outputs.command == 'review' ||
        (needs.authorize-command.outputs.command == 'fix' && needs.gradle-worker.outputs.needs-copilot == 'true'))
     runs-on: ubuntu-latest
@@ -177,17 +130,10 @@ jobs:
           mkdir -p "$RUNNER_TEMP/pr-triage-trusted"
           cp -r .github/scripts/pr-triage/. "$RUNNER_TEMP/pr-triage-trusted/"
 
-      - name: Download PR bundle
-        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
-        with:
-          name: pr-tree-bundle
-          path: ${{ runner.temp }}/pr-snapshot
-
-      - name: Restore PR working tree from bundle
-        run: |
-          HEAD_SHA=$(cat "$RUNNER_TEMP/pr-snapshot/head.txt")
-          git fetch "$RUNNER_TEMP/pr-snapshot/pr.bundle" "+$HEAD_SHA:refs/pr-triage/head"
-          git checkout --detach "refs/pr-triage/head"
+      - name: Check out PR
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: gh pr checkout "$PR_NUMBER"
 
       - name: Install Copilot CLI
         run: npm install -g @github/copilot@1.0.40
