Conversation
Contributor
|
🎬 Generate a demo GIF for this PR: gh workflow run demo.yml -R sethrylan/boop -f pr_number=35 |
There was a problem hiding this comment.
Pull request overview
This PR updates the demo workflow configuration and documentation from the gh-repolint template repository. The changes significantly improve security by switching from a comment-triggered workflow to a manually-dispatched workflow, which prevents potential "pwn request" attacks where untrusted code could be executed with write permissions.
Changes:
- Replaced comment-triggered demo generation (
/democommand) with manual workflow dispatch requiring write access - Enhanced security by checking out PR code by commit SHA instead of branch reference to prevent TOCTOU issues
- Added comprehensive documentation explaining the security considerations and design decisions
- Added a hint workflow that automatically posts instructions for generating demos on new PRs
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
.repolint.yaml |
Adds references to new demo-hint workflow and demo-workflow documentation |
docs/readme.md |
Removes old demo documentation (replaced by demo-workflow.md) |
docs/demo-workflow.md |
Adds comprehensive documentation explaining workflow security design and implementation |
.github/workflows/demo.yml |
Switches from issue_comment trigger to workflow_dispatch, improves security by checking out by SHA |
.github/workflows/demo-hint.yml |
Adds new workflow to post helpful demo generation instructions on new PRs |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
|
||
| The demo workflow needs to run on a pull request and write to the same PR branch. This introduces 3 interconnected challenges: | ||
|
|
||
| 1. **Triggering workflow runs**. By [design](https://docs.github.com/en/actions/how-tos/write-workflows/choose-when-workflows-run/trigger-a-workflow#triggering-a-workflow-from-a-workflow), a commit by GitHub Actions's token cannot trigger a workflow (directly or indirectly) to prevent infinite loops. But most repo's branch protection rules require checks to pass on the latest commit. |
There was a problem hiding this comment.
Incorrect possessive form. Should be either "repos'" (plural possessive) or "repository's" (singular possessive) instead of "repo's". Since the sentence refers to "most" repositories, "repos'" would be more appropriate.
Suggested change
| 1. **Triggering workflow runs**. By [design](https://docs.github.com/en/actions/how-tos/write-workflows/choose-when-workflows-run/trigger-a-workflow#triggering-a-workflow-from-a-workflow), a commit by GitHub Actions's token cannot trigger a workflow (directly or indirectly) to prevent infinite loops. But most repo's branch protection rules require checks to pass on the latest commit. | |
| 1. **Triggering workflow runs**. By [design](https://docs.github.com/en/actions/how-tos/write-workflows/choose-when-workflows-run/trigger-a-workflow#triggering-a-workflow-from-a-workflow), a commit by GitHub Actions's token cannot trigger a workflow (directly or indirectly) to prevent infinite loops. But most repos' branch protection rules require checks to pass on the latest commit. |
|
|
||
| The demo workflow needs to run on a pull request and write to the same PR branch. This introduces 3 interconnected challenges: | ||
|
|
||
| 1. **Triggering workflow runs**. By [design](https://docs.github.com/en/actions/how-tos/write-workflows/choose-when-workflows-run/trigger-a-workflow#triggering-a-workflow-from-a-workflow), a commit by GitHub Actions's token cannot trigger a workflow (directly or indirectly) to prevent infinite loops. But most repo's branch protection rules require checks to pass on the latest commit. |
There was a problem hiding this comment.
Incorrect possessive form. "GitHub Actions" ends with 's', so the possessive should be "GitHub Actions'" not "GitHub Actions's".
Suggested change
| 1. **Triggering workflow runs**. By [design](https://docs.github.com/en/actions/how-tos/write-workflows/choose-when-workflows-run/trigger-a-workflow#triggering-a-workflow-from-a-workflow), a commit by GitHub Actions's token cannot trigger a workflow (directly or indirectly) to prevent infinite loops. But most repo's branch protection rules require checks to pass on the latest commit. | |
| 1. **Triggering workflow runs**. By [design](https://docs.github.com/en/actions/how-tos/write-workflows/choose-when-workflows-run/trigger-a-workflow#triggering-a-workflow-from-a-workflow), a commit by GitHub Actions' token cannot trigger a workflow (directly or indirectly) to prevent infinite loops. But most repo's branch protection rules require checks to pass on the latest commit. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.