mirror of
https://github.com/angular/angular
synced 2026-05-24 09:28:37 +00:00
d82c47333a
Update the code to not use user input directly on executable code, as it can be used for injection attacks, as detailed [here](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#understanding-the-risk-of-script-injections) PR Close #51026
68 lines
2.7 KiB
YAML
68 lines
2.7 KiB
YAML
name: Run benchmark comparison
|
|
|
|
on:
|
|
issue_comment:
|
|
types: [created]
|
|
|
|
permissions: read-all
|
|
|
|
jobs:
|
|
benchmark-compare:
|
|
runs-on: ubuntu-latest
|
|
if: ${{ github.event.issue.pull_request && startsWith(github.event.comment.body, '/benchmark-compare ')}}
|
|
steps:
|
|
- uses: TheModdingInquisition/actions-team-membership@a69636a92bc927f32c3910baac06bacc949c984c # v1.0
|
|
with:
|
|
team: 'team'
|
|
organization: angular
|
|
token: ${{secrets.BENCHMARK_COMPARE_MEMBERSHIP_GITHUB_TOKEN}}
|
|
exit: true
|
|
|
|
# Indicate that the benchmark command was received.
|
|
- uses: peter-evans/create-or-update-comment@c6c9a1a66007646a28c153e2a8580a5bad27bcfa # v3
|
|
with:
|
|
comment-id: ${{github.event.comment.id}}
|
|
token: '${{secrets.BENCHMARK_POST_RESULTS_GITHUB_TOKEN}}'
|
|
reactions: 'rocket'
|
|
|
|
- uses: alessbell/pull-request-comment-branch@aad01d65d6982b8eacabed5e9a684cd8ceb98da6 # v1.1
|
|
id: comment-branch
|
|
|
|
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
|
|
with:
|
|
# Specify repository as the PR branch might be from a fork.
|
|
repository: ${{steps.comment-branch.outputs.head_owner}}/${{steps.comment-branch.outputs.head_repo}}
|
|
# Checkout the pull request and assume it being trusted given we've checked
|
|
# that the action was triggered by a team member.
|
|
ref: ${{steps.comment-branch.outputs.head_ref}}
|
|
|
|
- uses: ./.github/actions/yarn-install
|
|
|
|
- uses: angular/dev-infra/github-actions/setup-bazel-remote-exec@97cb376945b07e37671e3b38ee727ff00dc1394b
|
|
with:
|
|
bazelrc: ./.bazelrc.user
|
|
|
|
- name: Preparing benchmark for GitHub action
|
|
id: info
|
|
env:
|
|
# Untrusted input used in an executable code, must be wrapped as an env var to prevent injections
|
|
COMMENT_BODY: ${{ github.event.comment.body }}
|
|
run: yarn benchmarks prepare-for-github-action "$COMMENT_BODY"
|
|
|
|
- run: yarn benchmarks run-compare ${{steps.info.outputs.compareSha}} ${{steps.info.outputs.benchmarkTarget}}
|
|
id: benchmark
|
|
name: Running benchmark
|
|
|
|
- uses: peter-evans/create-or-update-comment@c6c9a1a66007646a28c153e2a8580a5bad27bcfa # v3
|
|
with:
|
|
issue-number: ${{github.event.issue.number}}
|
|
token: '${{secrets.BENCHMARK_POST_RESULTS_GITHUB_TOKEN}}'
|
|
body: |
|
|
## Benchmark Test Results
|
|
**Test**: `${{steps.info.outputs.benchmarkTarget}}`
|
|
|
|
### PR (${{steps.info.outputs.prHeadSha}})
|
|
${{steps.benchmark.outputs.workingStageResultsText}}
|
|
|
|
### Compare Ref (${{steps.info.outputs.compareSha}})
|
|
${{steps.benchmark.outputs.comparisonResultsText}}
|