Skip to content

fix: Make lighthouse report actually work#10863

Closed
AaronDewes wants to merge 2 commits intofacebook:mainfrom
AaronDewes:patch-1
Closed

fix: Make lighthouse report actually work#10863
AaronDewes wants to merge 2 commits intofacebook:mainfrom
AaronDewes:patch-1

Conversation

@AaronDewes
Copy link

@AaronDewes AaronDewes commented Jan 24, 2025

Previously, this workflow just checked out the main branch, which caused the report to be pretty useless.

Pre-flight checklist

  • I have read the Contributing Guidelines on pull requests.
  • If this is a code change: I have written unit tests and/or added dogfooding pages to fully verify the new behavior.
  • If this is a new API or substantial change: the PR has an accompanying issue (closes #0000) and the maintainers have approved on my working plan.

Motivation

Test Plan

Test links

Deploy preview: https://deploy-preview-_____--docusaurus-2.netlify.app/

Related issues/PRs

@AaronDewes
fix: Make lighthouse report actually work
630ef83 
Previously, this workflow just checked out the main branch, which caused the report to be pretty useless.
@facebook-github-bot
Copy link
Contributor

facebook-github-bot commented Jan 24, 2025

Hi @AaronDewes!

Thank you for your pull request and welcome to our community.

Action Required

In order to merge any pull request (code, docs, etc.), we require contributors to sign our Contributor License Agreement, and we don't seem to have one on file for you.

Process

In order for us to review and merge your suggested changes, please sign at https://code.facebook.com/cla. If you are contributing on behalf of someone else (eg your employer), the individual CLA may not be sufficient and your employer may need to sign the corporate CLA.

Once the CLA is signed, our tooling will perform checks and validations. Afterwards, the pull request will be tagged with CLA signed. The tagging process may take up to 1 hour after signing. Please give it that time before contacting us about it.

If you have received this in error or have any questions, please contact us at cla@meta.com. Thanks!

@AaronDewes AaronDewes marked this pull request as draft January 24, 2025 12:36
@facebook-github-bot
Copy link
Contributor

facebook-github-bot commented Jan 24, 2025

Thank you for signing our Contributor License Agreement. We can now accept your code for this (and any) Meta Open Source project. Thanks!

@facebook-github-bot facebook-github-bot added the CLA Signed Signed Facebook CLA label Jan 24, 2025
@netlify
Copy link

netlify bot commented Jan 24, 2025
edited
Loading

[V2]

Built without sensitive environment variables

Name Link
🔨 Latest commit 1a6bca2
🔍 Latest deploy log https://app.netlify.com/sites/docusaurus-2/deploys/67952fb4de2fbe0008a3d9e9
😎 Deploy Preview https://deploy-preview-10863--docusaurus-2.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site configuration.

@github-actions
Copy link

github-actions bot commented Jan 24, 2025
edited
Loading

⚡️ Lighthouse report for the deploy preview of this PR

URL Performance Accessibility Best Practices SEO Report
/ 🔴 38 🟢 98 🟢 96 🟢 100 Report
/docs/installation 🟠 50 🟢 97 🟢 100 🟢 100 Report
/docs/category/getting-started 🟠 73 🟢 100 🟢 100 🟠 86 Report
/blog 🟠 63 🟢 96 🟢 100 🟠 86 Report
/blog/preparing-your-site-for-docusaurus-v3 🟠 64 🟢 92 🟢 100 🟢 100 Report
/blog/tags/release 🟠 63 🟢 96 🟢 100 🟠 86 Report
/blog/tags 🟠 73 🟢 100 🟢 100 🟠 86 Report

slorber
slorber reviewed Feb 21, 2025
View reviewed changes
Copy link
Collaborator

@slorber slorber left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agree we have a problem, but what you proposes present a vulnerability risk.

TL;DR: Combining pull_request_target workflow trigger with an explicit checkout of an untrusted PR is a dangerous practice that may lead to repository compromise.

https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/

Given your security / hacker background found publicly, I wonder if you did it purposefully or if it's an honest mistake.

@slorber slorber closed this Feb 21, 2025
@AaronDewes
Copy link
Author

AaronDewes commented Feb 21, 2025

Hi @slorber.

First, I actually found this issue when researching such insecure actions. I've reported a similar security issue in the facebook/lexical repository through your bug bounty program, as well as similar issues in other org's repositories.

This PR is by no means a social engineering attempt or similar to introduce a vulnerability. As I am familiar with this issue, I was rather checking if this can be exploited.

If you check the file again, it starts with

permissions:
  contents: read

This means the token exposed to this repository has only read access to the repo contents, and can not do anything. There are numerous examples on GitHub of repositories which use similar methods, I can search one and link it here later.

@AaronDewes
Copy link
Author

AaronDewes commented Feb 21, 2025

An example from Microsoft would be: https://github.com/Azure/azure-cli-extensions/blob/main/.github/workflows/ProcessCodeReview.yml

This checks out "untrusted" code, but the permission settings in the YML make it safe.

Please re-open this PR if possible.

@OfficialMutazAwad OfficialMutazAwad mentioned this pull request Sep 19, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@slorber slorber slorber left review comments

@Josh-Cena Josh-Cena Awaiting requested review from Josh-Cena Josh-Cena is a code owner

Assignees

No one assigned

Labels

CLA Signed Signed Facebook CLA

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@AaronDewes @facebook-github-bot @slorber