chore: update bumpy to 1.18.0 + adopt ci comment fork-comment split#840
Merged
Conversation
Replace the hand-rolled pull_request_target release-plan comment with bumpy 1.18's two-workflow split: - bumpy-check.yaml now runs on plain pull_request with a read-only token, gates on missing bump files, and emits the rendered comment as an artifact (ci check --emit-comment). - bumpy-comment.yaml is a new workflow_run poster that downloads that artifact and posts it (ci comment --body-file), resolving the target PR from the trusted event rather than the artifact. release.yaml already matches the recommended split plan/version-pr/publish pattern, so it is unchanged.
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
theoephraim
added a commit
to dmno-dev/bumpy
that referenced
this pull request
Jun 26, 2026
…ct-poisoning) (#146) ## Why varlock adopted the 1.18 `workflow_run` fork-comment split ([varlock#840](dmno-dev/varlock#840)) and CodeQL flagged the poster with a **critical** `actions/artifact-poisoning` alert. The recommended `bumpy-comment.yaml` (and our dogfood copy) downloads the untrusted artifact into `./bumpy-comment` — i.e. *inside* `GITHUB_WORKSPACE`, alongside the trusted checkout. CodeQL's recommendation is to "extract artifacts to a temporary folder so they cannot override existing files." bumpy's own repo has no CodeQL workflow, so neither the dogfood poster nor the docs template was ever analyzed — varlock (which runs CodeQL Actions analysis) was the first to surface it. ## What - **`docs/github-actions.md`** — the recommended poster now downloads to `${{ runner.temp }}/bumpy-comment` (outside the checkout) and reads `--body-file "$RUNNER_TEMP/bumpy-comment/comment.md"`. - **`.github/workflows/bumpy-comment.yaml`** (dogfood) — same change; dropped the now-moot "download after checkout or it gets wiped" note since temp is outside the workspace. - **Safety-rule callout** — documents *why* (untrusted artifact can't overwrite trusted files) and adds a short note that CodeQL's `actions/artifact-poisoning` query may flag the step: the temp-dir download addresses its core recommendation, and if a strict variant still flags it, it's a dismissable false positive (body used only as comment text; PR resolved from the trusted `workflow_run` event, never the artifact). The upload side (unprivileged render step) intentionally keeps `./bumpy-comment` — only the privileged download moves to temp. ## Notes Docs + a dogfood workflow comment/path change. No behavior change to the comment that gets posted. The `runner.temp` path is outside `GITHUB_WORKSPACE` on hosted runners, so the trusted checkout (read for the pinned bumpy version) is untouched.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Updates
@varlock/bumpyto^1.18.0and migrates the PR release-plan comment to 1.18's official fork-safe split, replacing the hand-rolledpull_request_targetworkflow from #837.What changed
bumpy-check.yaml— rewritten frompull_request_targetto plainpull_requestwith a read-only token. It computes the release plan, gates on missing bump files, and writes the rendered comment to thebumpy-commentartifact (ci check --emit-comment). Running PR code is safe here because the token can't post or write. Job renamedcheck→bumpy-checkso its status context (Bumpy check / bumpy-check) is unambiguous in branch protection.bumpy-comment.yaml(new) —workflow_runposter that runs in a trusted context (never checks out PR code), downloads the untrusted artifact torunner.temp(outside the checkout, so it can't overwrite trusted files — CodeQLactions/artifact-poisoning), and posts it (ci comment --body-file). The target PR is resolved from the trustedworkflow_runevent, never from the artifact.package.json— bumpy^1.17.0→^1.18.0.release.yamlalready uses the recommended splitplan→version-pr/publishpattern, so it's unchanged.Rollout notes
workflow_runtriggers always run the definition from the default branch, sobumpy-comment.yamlonly activates after this merges tomain— the release-plan comment will start appearing on PRs opened after merge.Bumpy check / bumpy-check.