changesets/bot

Consider moving the bot back to Github Actions

Opened this issue · 3 comments

alcuadrado commented

Hi,

I noticed that this bot used to be an action, but it didn't work for forks, so it was moved to a bot.

Have you considered moving it back to a github action now that you can use pull_request_target?

Moving it to an action would let users customize things. For example, I'd like to disable the bot when PRs only modify certain folders.

willwill96 commented

I would also like to see more customizability out of this bot. I may be a niche case, but I am trying to build out a conventional commit ci workflow using changesets. For that, it would be useful if I could run a script to convert commit messages to changesets before the bot runs through its scripts.

JReinhold commented

This is an interesting idea, but you'd still need the head of the PR, since that's the one that would contain any changesets to check for.
So it would be something like:

  1. on pull_request_target
  2. checkout repo (which will be the base)
  3. checkout head in another directory
  4. run the "check Changesets" action, with a configuration pointing to the directory from head.

I'm not sure how much of this would need to be implemented in user land, vs. could be contained within the action itself.

You could also have a condition that would check if this was a fork or not. if it isn't a fork, you can skip step 3.

jakebailey commented

I've also wanted this recently, just for filtering. DefinitelyTyped-tools uses changesets but hasn't enabled the bot because we don't want people to add changesets for the allowedPackageJsonDependencies.txt file (as the tooling always pulls from the repo, not published packages).

This is an interesting idea, but you'd still need the head of the PR, since that's the one that would contain any changesets to check for.

You definitely do not want to be cloning any untrusted code in pull_request_target workflows. A better idea is to use the GitHub APIs to pull information about the PR, which is presumably what the bot already does now given it's implemented as a GitHub App (and would not be cloning).

For example, https://github.com/microsoft/TypeScript/blob/main/.github/workflows/pr-modified-files.yml is a workflow which triages PRs and closes / replies to them if certain conditions are met, but done without cloning.

See also: https://securitylab.github.com/research/github-actions-preventing-pwn-requests/