chore(ci): Add workflow to update pixi lock on PRs #3560
Conversation
There was a problem hiding this comment.
Pull Request Overview
This PR refactors the pixi lockfile checking mechanism by moving it from the Docker workflow to a dedicated workflow that automatically updates lockfiles on pull requests. The key changes include:
- Creating a new automated workflow that checks and updates pixi lockfiles on pull requests
- Removing the manual pixi check step from the Docker build workflow
- Implementing automatic lockfile updates with push-back to the PR branch
Reviewed Changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| .github/workflows/pixi-lock.yml | New workflow that automatically checks and updates pixi lockfiles for pull requests using pull_request_target trigger |
| .github/workflows/docker.yml | Removed the check-pixi job that previously validated lockfile consistency during Docker builds |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| @@ -0,0 +1,55 @@ | |||
| on: | |||
| pull_request_target | |||
There was a problem hiding this comment.
Using pull_request_target with contents: write permission and pushing to the source repository creates a security risk. This workflow has write access and executes in the context of the base repository, but it pushes to the fork repository URL. For forks from untrusted sources, this could be exploited. Consider adding authentication for the git push operation or using a GitHub App token with limited scope instead of pushing directly to $REMOTE.
There was a problem hiding this comment.
What is the exploitation path? This PR runs known code on an unknown branch and pushes to that branch. An attacker does not choose what code runs and the result is not pushed directly to the upstream.
| bash -c '(pixi lock --check && git checkout .) || true' | ||
| - name: Push updated lockfile, if needed | ||
| run: | | ||
| git push $REMOTE HEAD:$BRANCH |
There was a problem hiding this comment.
The git push command will fail for fork PRs because it attempts to push to the fork repository URL without authentication. The GITHUB_TOKEN used for checkout only has permissions for the base repository, not the fork. This will cause authentication failures when pushing to forks.
There was a problem hiding this comment.
If the user does not allow pushes from maintainers and a commit is generated, then this workflow should fail.
| on: | ||
| pull_request_target |
There was a problem hiding this comment.
The workflow trigger is missing a name field at the top of the file. All GitHub Actions workflows should include a descriptive name for better identification in the Actions UI. Consider adding name: Pixi lockfile maintenance or similar at the beginning of the file.
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## master #3560 +/- ##
=======================================
Coverage 72.93% 72.93%
=======================================
Files 60 60
Lines 4818 4818
Branches 625 625
=======================================
Hits 3514 3514
Misses 1162 1162
Partials 142 142 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
In #3556, @tsalo discovered he couldn't (effectively) run
pixi lockfrom a mac, which I believe is due to prefix-dev/pixi#3081.This PR runs
pixi lockon PRs and commits to the incoming branch if they are out-of-date.#3559 demonstrates (see, e.g., 35151f7).