Skip to content

Fix preview workflow for forks #146

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
google-labs-jules wants to merge 3 commits into
base: main
Choose a base branch
from
Draft

Fix preview workflow for forks #146

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
4653d8a
I've fixed the preview workflow for forks and added some security enh…
google-labs-jules[bot] Aug 14, 2025
b64cc6b
feat: Add manual dispatch to preview workflow
google-labs-jules[bot] Aug 14, 2025
9908166
refactor: Optimize and secure CI/CD workflows
google-labs-jules[bot] Aug 14, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
166 changes: 0 additions & 166 deletions .github/workflows/bundle-analysis.yml
View file
Open in desktop

This file was deleted.

141 changes: 141 additions & 0 deletions .github/workflows/code-analysis.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,141 @@
name: Code Analysis

on:
pull_request_target:
paths:
- 'frontend/**'
branches: [ main, master ]
workflow_dispatch:

jobs:
web-bundle-analysis:
if: contains(github.event.pull_request.labels.*.name, 'run-analysis') || github.event_name == 'workflow_dispatch'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v5
with:
ref: ${{ github.event.pull_request.head.sha || github.ref }}
fetch-depth: 0

- name: Set up Node.js
uses: actions/setup-node@v4
with:
node-version: '18'
cache: 'npm'
cache-dependency-path: frontend/package-lock.json

- name: Install Dependencies
run: npm install
working-directory: ./frontend

- name: Setup EAS
uses: expo/expo-github-action@v8
with:
eas-version: latest
token: ${{ secrets.EXPO_TOKEN }}

- name: Build for Bundle Analysis (Web)
run: |
if npx expo export --platform web --output-dir web-build 2>/dev/null; then
echo "✅ Expo web export successful"
else
echo "⚠️ Web export failed, using alternative bundle analysis approach"
npx metro build --entry-file index.js --platform web --bundle-output web-build/bundle.js --assets-dest web-build/static || true
fi
working-directory: ./frontend

- name: Analyze Web Bundle Size
working-directory: ./frontend
run: |
if [ ! -d "web-build" ]; then
echo "❌ No web-build directory found. Skipping analysis."
exit 0
fi

TOTAL_SIZE=0
if [ -d "web-build/static/js" ]; then
TOTAL_SIZE=$(find web-build/static/js -name "*.js" -type f -exec stat -c%s {} \; | awk '{sum+=$1} END {print sum}')
elif [ -f "web-build/bundle.js" ]; then
TOTAL_SIZE=$(stat -c%s web-build/bundle.js)
fi

if [ "$TOTAL_SIZE" -gt 0 ]; then
TOTAL_SIZE_MB=$(awk "BEGIN {printf \"%.2f\", $TOTAL_SIZE / 1024 / 1024}")
echo "📊 Total Web JavaScript bundle size: ${TOTAL_SIZE_MB} MB"

echo "# Web Bundle Analysis Report" > bundle-analysis-web.md
echo "## Bundle Size Summary" >> bundle-analysis-web.md
echo "- Total JavaScript bundle size: **${TOTAL_SIZE_MB} MB**" >> bundle-analysis-web.md
else
echo "❌ No JavaScript bundles found in expected locations."
fi

- name: Upload Web Bundle Analysis Report
if: always() && hashFiles('frontend/bundle-analysis-web.md') != ''
uses: actions/upload-artifact@v4
with:
name: web-bundle-analysis-report
path: frontend/bundle-analysis-web.md

rn-bundle-analysis:
Comment on lines +12 to +80

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 5 months ago

To fix the problem, explicitly set the permissions key at the top level of the workflow file. This will apply the specified permissions to all jobs in the workflow unless overridden at the job level. Since the jobs only need to read repository contents and upload artifacts, the minimal required permission is contents: read. This change should be made near the top of the file, after the name field and before the on field, to ensure it applies globally. No additional methods, imports, or definitions are needed.

Suggested changeset 1
.github/workflows/code-analysis.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/code-analysis.yml b/.github/workflows/code-analysis.yml
--- a/.github/workflows/code-analysis.yml
+++ b/.github/workflows/code-analysis.yml
@@ -1,3 +1,5 @@
+permissions:
+  contents: read
 name: Code Analysis
 
 on:
EOF
@@ -1,3 +1,5 @@
permissions:
contents: read
name: Code Analysis

on:
Copilot is powered by AI and may make mistakes. Always verify output.
if: contains(github.event.pull_request.labels.*.name, 'run-analysis') || github.event_name == 'workflow_dispatch'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v5
with:
ref: ${{ github.event.pull_request.head.sha || github.ref }}
fetch-depth: 0

- name: Set up Node.js
uses: actions/setup-node@v4
with:
node-version: '18'
cache: 'npm'
cache-dependency-path: frontend/package-lock.json

- name: Install Dependencies
run: npm install
working-directory: ./frontend

- name: Setup EAS
uses: expo/expo-github-action@v8
with:
eas-version: latest
token: ${{ secrets.EXPO_TOKEN }}

- name: Build for Bundle Analysis (RN)
run: |
if npx expo export --platform android --output-dir android-build --max-workers 1; then
echo "✅ Android export successful"
else
echo "⚠️ Android export failed. Skipping analysis."
fi
working-directory: ./frontend

- name: Analyze RN Bundle Size
working-directory: ./frontend
run: |
if [ ! -d "android-build" ]; then
echo "❌ No android-build directory found. Skipping analysis."
exit 0
fi

BUNDLE_FILE=$(find android-build/bundles -name "android-*.js" | head -1)
if [ -f "$BUNDLE_FILE" ]; then
BUNDLE_SIZE=$(stat -c%s "$BUNDLE_FILE")
BUNDLE_SIZE_MB=$(awk "BEGIN {printf \"%.2f\", $BUNDLE_SIZE / 1024 / 1024}")

echo "# React Native Bundle Analysis Report" > bundle-analysis-rn.md
echo "## Bundle Size Summary" >> bundle-analysis-rn.md
echo "- Platform: Android" >> bundle-analysis-rn.md
echo "- Bundle size: **${BUNDLE_SIZE_MB} MB**" >> bundle-analysis-rn.md
else
echo "❌ No Android bundle found."
fi

- name: Upload RN Bundle Analysis Report
if: always() && hashFiles('frontend/bundle-analysis-rn.md') != ''
uses: actions/upload-artifact@v4
with:
name: rn-bundle-analysis-report
path: frontend/bundle-analysis-rn.md
Comment on lines +81 to +141

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 5 months ago

To fix the problem, add a permissions block to the workflow file. This block should be placed at the top level (root) of the workflow, just after the name: and before the on: key, to apply to all jobs unless overridden. The minimal required permission for this workflow is likely contents: read, since the jobs only check out code, install dependencies, build, and upload artifacts, but do not interact with issues, pull requests, or perform repository writes. If in the future a job needs more permissions, they can be granted at the job level. No changes to the jobs themselves are required.

What to change:

  • In .github/workflows/code-analysis.yml, add: 
    permissions:
  contents: read
    after the name: Code Analysis line and before the on: block (i.e., after line 1).

No new methods, imports, or definitions are needed.

Suggested changeset 1
.github/workflows/code-analysis.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/code-analysis.yml b/.github/workflows/code-analysis.yml
--- a/.github/workflows/code-analysis.yml
+++ b/.github/workflows/code-analysis.yml
@@ -1,3 +1,5 @@
+permissions:
+  contents: read
 name: Code Analysis
 
 on:
EOF
@@ -1,3 +1,5 @@
permissions:
contents: read
name: Code Analysis

on:
Copilot is powered by AI and may make mistakes. Always verify output.
8 changes: 6 additions & 2 deletions .github/workflows/preview.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,18 +1,22 @@
name: Create EAS Preview

on:
pull_request:
pull_request_target:
workflow_dispatch:

permissions:
contents: read
pull-requests: write

jobs:
preview:
if: contains(github.event.pull_request.labels.*.name, 'run-preview') || github.event_name == 'workflow_dispatch'
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v5
with:
ref: ${{ github.event.pull_request.head.sha || github.ref }}

- name: Setup Node.js
uses: actions/setup-node@v4
Expand All @@ -32,5 +36,5 @@ jobs:
- name: Create preview
uses: expo/expo-github-action/preview@v8
with:
command: eas update --auto --branch ${{ github.event.pull_request.head.ref }}
command: eas update --auto --branch ${{ github.event.pull_request.head.ref || github.ref_name }}
working-directory: ./frontend
Loading