Skip to content

test #361

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
suzuki-shunsuke wants to merge 8 commits into
base: main
Choose a base branch
from
Open

test #361

Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
1b199e8
test
suzuki-shunsuke Feb 4, 2026
56bea83
use app
suzuki-shunsuke Feb 4, 2026
b7a58a0
Merge branch 'main' into test-update-pr-branch-action
suzuki-shunsuke Feb 4, 2026
698b967
test
suzuki-shunsuke Feb 4, 2026
6e91358
Merge branch 'main' into test-update-pr-branch-action
szksh-lab-2-app[bot] Feb 4, 2026
d2fa7db
test
suzuki-shunsuke Feb 4, 2026
3b6cd63
test
suzuki-shunsuke Feb 4, 2026
f21be3f
Merge branch 'main' into test-update-pr-branch-action
szksh-lab-2-app[bot] Feb 4, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 9 additions & 13 deletions .github/workflows/test.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,20 +1,16 @@
---
name: test
on:
pull_request:
types: [closed]
pull_request_review:
types: [submitted]
on: pull_request
jobs:
test:
if: |
endsWith(github.event.pull_request.user.login, '[bot]') &&
((github.event_name == 'pull_request_review' && github.event.review.state == 'approved') ||
github.event_name == 'pull_request')
runs-on: ubuntu-24.04
timeout-minutes: 15
permissions:
pull-requests: write
contents: read
permissions: {}
steps:
- uses: suzuki-shunsuke/notify-bot-pr-event-action@pr/1
- uses: suzuki-shunsuke/update-pr-branch-action@latest
Copy link
Copy Markdown

@coderabbitai coderabbitai bot Feb 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

suzuki-shunsuke/update-pr-branch-action GitHub releases tags versions

💡 Result:

suzuki-shunsuke/update-pr-branch-action — tags & releases (versions)

Git tags

The repository currently has these version tags (all created Feb 4, 2026): v0.0.1, v0.0.2, v0.0.3, v0.0.4. [1]

GitHub Releases

  • v0.0.3 — marked Latest (released Feb 4, 2026) [2]
  • v0.0.4 — marked Pre-release (released Feb 4, 2026) [2]
  • Older releases: v0.0.2, v0.0.1 [2]

“latest” / rolling tag note

The README examples use uses: suzuki-shunsuke/update-pr-branch-action@latest. [3]
However, the repo’s Tags page shows only v0.0.1v0.0.4 (no latest tag listed). [1]

Pin the action version instead of @latest.

@latest is mutable and can introduce unreviewed changes. The action has stable releases available (v0.0.3 is current, v0.0.4 is pre-release). Pin to a specific tag like @v0.0.3 for reproducibility and supply-chain safety.

🔒 Suggested pinning 
-      - uses: suzuki-shunsuke/update-pr-branch-action@latest
+      - uses: suzuki-shunsuke/update-pr-branch-action@v0.0.3
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- uses: suzuki-shunsuke/update-pr-branch-action@latest
- uses: suzuki-shunsuke/update-pr-branch-action@v0.0.3
🤖 Prompt for AI Agents 
In @.github/workflows/test.yaml at line 10, Replace the mutable tag on the
GitHub Action reference "suzuki-shunsuke/update-pr-branch-action@latest" with a
fixed release tag (e.g., "@v0.0.3") to ensure reproducible workflows and
supply-chain safety; locate the action usage in the workflow where
"suzuki-shunsuke/update-pr-branch-action@latest" appears and update it to the
chosen stable tag, then commit the change and verify the workflow syntax.

with:
# max_behind_by: 0
app_id: ${{ vars.APP_ID }}
app_private_key: ${{ secrets.APP_PRIVATE_KEY }}
Comment on lines +11 to +14
Copy link
Copy Markdown

@coderabbitai coderabbitai bot Feb 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

cat -n .github/workflows/test.yaml

Repository: szksh-lab-2/test-github-action

Length of output: 550

🌐 Web query:

GitHub Actions pull_request workflow secrets not available forks

💡 Result:

In GitHub Actions, workflows triggered by pull_request from a fork run in an untrusted context, so repository/org/environment secrets are not provided (to prevent a contributor from exfiltrating secrets by changing workflow/code). The only exception is GITHUB_TOKEN, which is typically read-only for fork PRs. [1]

What to do instead (common patterns)

  • Run tests without secrets on pull_request (recommended for OSS/public repos). Secrets won’t be available by design. [1]

  • Use pull_request_target only for “metadata” tasks (label/comment/status) because it runs in the base repo context and can access secrets—but it’s risky if you checkout/run PR code (“pwn request” risk). [2]

  • For private/internal repos you can explicitly allow this via repo/org/enterprise settings, including:

    • “Send secrets to workflows from pull requests”
    • (optionally) “Require approval for fork pull request workflows”
      so secrets can be made available after approval (policy-controlled). [3]

Sources:
[1] GitHub Docs — “Using secrets in GitHub Actions” (note about forks) (docs.github.com)
[2] GitHub Well-Architected — pull_request_target security implications (wellarchitected.github.com)
[3] GitHub Docs — “Managing GitHub Actions settings for a repository” (fork PR policies) (docs.github.com)

Citations:

Guard against forked PRs with missing secrets.

pull_request workflows don't receive secrets from forks by design, so the app_id and app_private_key inputs will be empty for external contributors and the job will fail. Add a job-level if condition to skip execution on forked PRs, or switch to pull_request_target with safe checkout if you intend to support forks.

🔧 Suggested guard 
 jobs:
   test:
+    if: ${{ github.event.pull_request.head.repo.full_name == github.repository }}
     runs-on: ubuntu-24.04
🤖 Prompt for AI Agents 
In @.github/workflows/test.yaml around lines 11 - 14, The workflow currently
passes inputs app_id and app_private_key to the GitHub App but will fail for
forked pull_request events because secrets are not available; update the job
that uses these inputs to guard execution by adding a job-level condition (e.g.,
check github.event.pull_request.head.repo.fork == false) to skip running for
forked PRs, or alternatively convert the workflow to use pull_request_target and
implement a safe checkout step before using the app secrets (so the
app_id/app_private_key inputs are only consumed when secrets are available).

files: |
aqua/**