fix: use rc-test npm workflow for CI#175
Conversation
The external workflow react-component/rc-test/.github/workflows/test.yml@main has switched to bun (oven-sh/setup-bun), but this project uses npm. Switch to a self-contained workflow that runs: - actions/checkout@v4 - actions/setup-node@v4 (Node 18) - npm ci - npm run lint - npm run lint:tsc - npm run compile - npm test
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
|
Note Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported. |
📝 WalkthroughWalkthroughCI 工作流文件将测试作业从调用外部可复用工作流( ChangesCI 工作流内联化
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~3 minutes Poem
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
- Use actions/checkout@v4 and actions/setup-node@v4 (current versions) - Add cache: npm for faster installs - Use node 20 LTS for better compatibility - Add --forceExit to npm test to prevent hanging in CI
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/react-component-ci.yml:
- Around line 7-8: The GitHub Action references for actions/checkout and
actions/setup-node are pinned to floating version tags (`@v4`) rather than
specific commit SHAs, creating a supply chain security risk where upstream tag
redirection could execute unaudited code. Replace the floating `@v4` tags with the
full commit SHA for the latest stable release of each action. Obtain the commit
SHAs from the official GitHub releases pages for actions/checkout and
actions/setup-node, then update both uses statements to reference the specific
commit SHA instead of the version tag.
- Line 7: The actions/checkout@v4 action on line 7 does not explicitly disable
credential persistence, which leaves the GITHUB_TOKEN exposed in .git/config for
potential misuse by subsequent workflow steps. Since this workflow only performs
code pulling (npm ci, lint, and test) without any git push operations, add the
`persist-credentials: false` parameter to the checkout action to explicitly
prevent the GITHUB_TOKEN from being stored in the git configuration.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: a736a566-3cf9-4084-bd87-e4a28dc0d01c
📒 Files selected for processing (1)
.github/workflows/react-component-ci.yml
| secrets: inherit | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@v4 |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
cat -n .github/workflows/react-component-ci.yml | head -20Repository: ant-design/compatible
Length of output: 498
🌐 Web query:
actions/checkout persist-credentials security GitHub token
💡 Result:
Summary
The persist-credentials setting in actions/checkout has significant security implications for GitHub token handling:
Default Behavior
By default, persist-credentials is set to true in actions/checkout, which means the action stores the GITHUB_TOKEN in .git/config.
Security Risks
This means any subsequent step in the workflow can access the token, even if it doesn't need git push capabilities. Additional risks include:
- Any later step or third-party action can read ~/.git-credentials or the Git credential helper and use the GITHUB_TOKEN to make API calls or push commits
- If this file is not excluded from packaging and build processes, it could be exfiltrated out of the Actions runner into Docker images or other publicly available artifacts
Mitigation
Setting persist-credentials: false on checkout steps that don't require git push reduces the attack surface by preventing credential theft through compromised dependencies or scripts.
The token is removed during post-job cleanup. Set persist-credentials: false to opt-out.
Recommendation
Remove or set persist-credentials to false unless explicitly needed, particularly for workflows that only read code like tests, builds, and scans. Keep it enabled only for workflows that genuinely need to push commits back to the repository.
Citations:
- 1: https://actsense.dev/vulnerabilities/unsafe_checkout/
- 2: Add persist-credentials: false to GitHub Actions checkout steps aquasecurity/trivy#10305
- 3: https://github.com/orgs/community/discussions/179107
- 4: https://github.com/actions/checkout
关闭 checkout 的凭据持久化,减少 GITHUB_TOKEN 暴露面。
Line 7 未设置 persist-credentials: false。由于该工作流仅需拉取代码(执行 npm ci、lint 和 test),不涉及 git push,建议显式关闭凭据持久化。默认配置下,GITHUB_TOKEN 会被存储在 .git/config 中,后续步骤中的任何操作都可能访问到该凭据。
建议补丁
- - uses: actions/checkout@v4
+ - uses: actions/checkout@v4
+ with:
+ persist-credentials: false📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| - uses: actions/checkout@v4 | |
| - uses: actions/checkout@v4 | |
| with: | |
| persist-credentials: false |
🧰 Tools
🪛 zizmor (1.25.2)
[warning] 7-7: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
[error] 7-7: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/react-component-ci.yml at line 7, The actions/checkout@v4
action on line 7 does not explicitly disable credential persistence, which
leaves the GITHUB_TOKEN exposed in .git/config for potential misuse by
subsequent workflow steps. Since this workflow only performs code pulling (npm
ci, lint, and test) without any git push operations, add the
`persist-credentials: false` parameter to the checkout action to explicitly
prevent the GITHUB_TOKEN from being stored in the git configuration.
Source: Linters/SAST tools
React to react-component/rc-test/.github/workflows/test-npm.yml@main, which uses npm (not bun) and runs: npm i --legacy-peer-deps npm run lint npx tsc --noEmit npm run compile npm run test -- --coverage
afc163
changed the title
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## master #175 +/- ##
=======================================
Coverage 43.46% 43.46%
=======================================
Files 21 21
Lines 398 398
Branches 101 101
=======================================
Hits 173 173
Misses 225 225 ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
1 participant
Switch from the bun-based rc-test test.yml to test-npm.yml (uses npm, not bun). This project uses father build + umi-test, compatible with test-npm.yml's npm-based steps.