Skip to content

fix: link to test preview #1045

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

fix: link to test preview #1045

wants to merge 1 commit into from

Conversation

ofirc77
Copy link
Collaborator

@ofirc77 ofirc77 commented Feb 22, 2025

Description

Fix the broken link to test preview. The fix was made by changing some parts of the URL to consistent values in both workflows of the CI. We create 2 variables in one workflow and by uploading them to artifact we could access them in another workflow.

@ofirc77 ofirc77 self-assigned this Feb 22, 2025
@ofirc77 ofirc77 requested a review from NoamGaash as a code owner February 22, 2025 16:42
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Feb 22, 2025
edited
Loading

Preview: https://s3.amazonaws.com/noam-gaash.co.il/15398303945/open-bus/673/index.html
Preview Storybook: https://s3.amazonaws.com/noam-gaash.co.il/15398303945/open-bus/673/storybook/index.html
Test Report (if available): 'https://s3.amazonaws.com/noam-gaash.co.il/15398303945/open-bus/ec7b5a2f0f398826fa57886e7895cd250c0abfac/test-results/index.html'

@NoamGaash NoamGaash marked this pull request as draft February 23, 2025 08:26
@NoamGaash NoamGaash removed their request for review February 23, 2025 08:26
@ofirc77 ofirc77 force-pushed the fix_s3_html_issue branch 7 times, most recently from dafc916 to 6937693 Compare February 26, 2025 21:48
@ofirc77 ofirc77 force-pushed the fix_s3_html_issue branch 2 times, most recently from c41dc32 to 8b65e52 Compare March 23, 2025 16:14
@ofirc77 ofirc77 force-pushed the fix_s3_html_issue branch 2 times, most recently from 794239c to 194b175 Compare April 13, 2025 19:10
@ofirc77 ofirc77 force-pushed the fix_s3_html_issue branch 2 times, most recently from a80250a to 02836a2 Compare April 14, 2025 18:32
@ofirc77
Copy link
Collaborator Author

ofirc77 commented Apr 14, 2025

Hi @NoamGaash
I want to consult with you regarding my solution.

The issue with this bug fix is that I am trying to resolve a race condition between 2 different workflows.

This is how I see the flow:

1.PR is created/updated
2.Both workflows start:
3.Build workflow (faster)
4.Validate workflow (slower)
5.When Build completes, it triggers deploy-preview
6.deploy-preview tries to get test results, but Validate is still running

My solution includes:

First, I tried to add a step that waits for the validate to finish before trying to reach out to the artifacts but it seems not to work for some reason.
Second. I tried to upload the URL vars as artifacts and download them in the deploy-preview stage after the validate workflow finishes. And use them as part of the URL to S3, same as in the validate workflow.
I am not sure if this fix is good in general and maybe I am missing some info regarding the GItHub actions mechanism.

WDYT?

@NoamGaash
Copy link
Member

Thanks! That's ok if the link will be posted before the results are available, as long as the link will be correct once the results are uploaded. Is that what you mean?
Sorry gor the delay 🙏

@ofirc77 ofirc77 force-pushed the fix_s3_html_issue branch from 02836a2 to 4dfd3d1 Compare May 10, 2025 18:22
github-advanced-security[bot]
github-advanced-security bot found potential problems May 10, 2025
View reviewed changes
@ofirc77 ofirc77 force-pushed the fix_s3_html_issue branch 7 times, most recently from 30c71ff to 3b7f251 Compare May 15, 2025 17:18
@ofirc77 ofirc77 force-pushed the fix_s3_html_issue branch 2 times, most recently from 1011020 to 679c2c9 Compare May 17, 2025 17:55
github-advanced-security[bot]
github-advanced-security bot found potential problems May 17, 2025
View reviewed changes
@ofirc77 ofirc77 force-pushed the fix_s3_html_issue branch from 679c2c9 to c9db3ec Compare May 17, 2025 18:02
@ofirc77 ofirc77 force-pushed the fix_s3_html_issue branch 2 times, most recently from 9515aad to c449a15 Compare May 24, 2025 18:42
github-advanced-security[bot]
github-advanced-security bot found potential problems May 24, 2025
View reviewed changes
@ofirc77 ofirc77 force-pushed the fix_s3_html_issue branch from c449a15 to c31ba0a Compare May 24, 2025 18:48
github-advanced-security[bot]
github-advanced-security bot found potential problems May 24, 2025
View reviewed changes
@ofirc77 ofirc77 force-pushed the fix_s3_html_issue branch 2 times, most recently from 84173d1 to 15f6610 Compare May 26, 2025 19:33
github-advanced-security[bot]
github-advanced-security bot found potential problems May 26, 2025
View reviewed changes
@ofirc77 ofirc77 force-pushed the fix_s3_html_issue branch from 15f6610 to e25493d Compare May 26, 2025 19:43
github-advanced-security[bot]
github-advanced-security bot found potential problems May 26, 2025
View reviewed changes
@ofirc77 ofirc77 force-pushed the fix_s3_html_issue branch 9 times, most recently from a5132e0 to 43bd25a Compare June 2, 2025 16:59
github-advanced-security[bot]
github-advanced-security bot found potential problems Jun 2, 2025
View reviewed changes
.github/workflows/deploy-preview.yml Outdated
Comment on lines 10 to 116
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4

- name: Debug Workflow Info
run: |
echo "=== Workflow Debug Info ==="
echo "Workflow Run ID: ${{ github.event.workflow_run.id }}"
echo "Run Number: ${{ github.event.workflow_run.run_number }}"
echo "Head SHA: ${{ github.event.workflow_run.head_sha }}"
echo "Head Branch: ${{ github.event.workflow_run.head_branch }}"
echo "Repository: ${{ github.repository }}"

- name: Download dist-build artifact
uses: dawidd6/action-download-artifact@v9
with:
workflow: Build
name: dist-build
path: .
github_token: ${{ secrets.GITHUB_TOKEN }}
pr: ${{ github.event.workflow_run.pull_requests[0].number }}


- name: Download dist-storybook artifact
uses: dawidd6/action-download-artifact@v9
with:
workflow: 'Build'
workflow_conclusion: success
github_token: ${{ secrets.GITHUB_TOKEN }}
run_id: ${{ github.event.workflow_run.id }}
run_number: ${{ github.event.workflow_run.run_number }}
name: dist-storybook
path: storybook

- name: Download pr number
uses: dawidd6/action-download-artifact@v9
with:
workflow: 'Build'
workflow_conclusion: success
github_token: ${{ secrets.GITHUB_TOKEN }}
run_id: ${{ github.event.workflow_run.id }}
run_number: ${{ github.event.workflow_run.run_number }}
name: pr_number
path: .

- name: Read and sanitize PR number
id: read-pr
run: |
pr_number=$(cat pr_number | tr -d '\n' | grep -E '^[0-9]+$' || echo "")
if [ -z "$pr_number" ]; then
echo "Error: Invalid PR number" >&2
exit 1
fi
echo "PR_NUMBER=${pr_number}" >> $GITHUB_ENV

- uses: shallwefootball/s3-upload-action@master
name: Upload preview to S3
if: always()
id: s3-trace
continue-on-error: true
with:
aws_key_id: ${{ secrets.AWS_KEY_ID }}
aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws_bucket: noam-gaash.co.il
source_dir: . # Upload the root directory
destination_dir: ${{ github.event.workflow_run.id }}/open-bus/${{ github.event.workflow_run.run_number }}

- name: find comment
uses: peter-evans/find-comment@v3
if: env.PR_NUMBER
id: fc
with:
issue-number: ${{ env.PR_NUMBER }}
comment-author: 'github-actions[bot]'
body-includes: 'Preview'

- name: update comment
uses: peter-evans/create-or-update-comment@v4
if: steps.fc.outputs.comment-id
with:
comment-id: ${{ steps.fc.outputs.comment-id }}
edit-mode: replace
body: |
Preview: https://s3.amazonaws.com/noam-gaash.co.il/${{ github.event.workflow_run.id }}/open-bus/${{ github.event.workflow_run.run_number }}/index.html
Preview Storybook: https://s3.amazonaws.com/noam-gaash.co.il/${{ github.event.workflow_run.id }}/open-bus/${{ github.event.workflow_run.run_number }}/storybook/index.html
Test Report (if available): https://s3.amazonaws.com/noam-gaash.co.il/${{ github.event.workflow_run.id }}/open-bus/test_03/test-results/index.html

- name: create comment
uses: peter-evans/create-or-update-comment@v4
if: steps.fc.outputs.comment-id == ''
with:
issue-number: ${{ env.PR_NUMBER }}
body: |
Preview: https://s3.amazonaws.com/noam-gaash.co.il/${{ github.event.workflow_run.id }}/open-bus/${{ github.event.workflow_run.run_number }}/index.html
Preview Storybook: https://s3.amazonaws.com/noam-gaash.co.il/${{ github.event.workflow_run.id }}/open-bus/${{ github.event.workflow_run.run_number }}/storybook/index.html
Test Report (if available): https://s3.amazonaws.com/noam-gaash.co.il/${{ github.event.workflow_run.id }}/open-bus/test_03/test-results/index.html

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI about 2 months ago

To fix the issue, we need to add a permissions block to the workflow file. This block should specify the minimal permissions required for the workflow to function correctly. Based on the actions performed in the workflow, the following permissions are needed:

  1. contents: read - To interact with repository contents, such as downloading artifacts.
  2. issues: write - To create or update comments on pull requests.
  3. pull-requests: read - To access pull request details.

The permissions block can be added at the root level of the workflow file to apply to all jobs, or it can be added specifically to the deploy-to-s3 job.

Suggested changeset 1
.github/workflows/deploy-preview.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/deploy-preview.yml b/.github/workflows/deploy-preview.yml
--- a/.github/workflows/deploy-preview.yml
+++ b/.github/workflows/deploy-preview.yml
@@ -1,11 +1,16 @@
-on:
-    workflow_run:
-      workflows: ['Build']
-      types:
-        - completed
-    push:
-
-jobs:
-    deploy-to-s3:
-      runs-on: ubuntu-latest
+on:
+    workflow_run:
+      workflows: ['Build']
+      types:
+        - completed
+    push:
+
+permissions:
+    contents: read
+    issues: write
+    pull-requests: read
+
+jobs:
+    deploy-to-s3:
+      runs-on: ubuntu-latest
       steps:
EOF
@@ -1,11 +1,16 @@
on:
workflow_run:
workflows: ['Build']
types:
- completed
push:

jobs:
deploy-to-s3:
runs-on: ubuntu-latest
on:
workflow_run:
workflows: ['Build']
types:
- completed
push:

permissions:
contents: read
issues: write
pull-requests: read

jobs:
deploy-to-s3:
runs-on: ubuntu-latest
steps:
Copilot is powered by AI and may make mistakes. Always verify output.
github-advanced-security[bot]
github-advanced-security bot found potential problems Jun 2, 2025
View reviewed changes
@ofirc77 ofirc77 force-pushed the fix_s3_html_issue branch from 43bd25a to d7f1a71 Compare June 2, 2025 17:03
@ofirc77 ofirc77 force-pushed the fix_s3_html_issue branch from d7f1a71 to ec7b5a2 Compare June 2, 2025 17:05
github-advanced-security[bot]
github-advanced-security bot found potential problems Jun 2, 2025
View reviewed changes
.github/workflows/deploy-preview.yml
echo "Workflow Run ID: ${{ github.event.workflow_run.id }}"
echo "Run Number: ${{ github.event.workflow_run.run_number }}"
echo "Head SHA: ${{ github.event.workflow_run.head_sha }}"
echo "Head Branch: ${{ github.event.workflow_run.head_branch }}"

Check failure

Code scanning / CodeQL

Code injection Critical

Potential code injection in
${ github.event.workflow_run.head_branch }
Loading
, which may be controlled by an external user (
workflow_run
Loading
).

Copilot Autofix

AI about 2 months ago

To fix the issue, we will:

  1. Assign the value of ${{ github.event.workflow_run.head_branch }} to an intermediate environment variable.
  2. Use the environment variable in the shell script with proper shell syntax ("$VAR"), which prevents code injection by treating the value as a literal string.

This approach ensures that the input is safely passed to the shell without the risk of unintended command execution.

Suggested changeset 1
.github/workflows/deploy-preview.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/deploy-preview.yml b/.github/workflows/deploy-preview.yml
--- a/.github/workflows/deploy-preview.yml
+++ b/.github/workflows/deploy-preview.yml
@@ -21,3 +21,4 @@
               echo "Head SHA: ${{ github.event.workflow_run.head_sha }}"
-              echo "Head Branch: ${{ github.event.workflow_run.head_branch }}"
+              HEAD_BRANCH="${{ github.event.workflow_run.head_branch }}"
+              echo "Head Branch: $HEAD_BRANCH"
             else
EOF
@@ -21,3 +21,4 @@
echo "Head SHA: ${{ github.event.workflow_run.head_sha }}"
echo "Head Branch: ${{ github.event.workflow_run.head_branch }}"
HEAD_BRANCH="${{ github.event.workflow_run.head_branch }}"
echo "Head Branch: $HEAD_BRANCH"
else
Copilot is powered by AI and may make mistakes. Always verify output.
github-advanced-security[bot]
github-advanced-security bot found potential problems Jun 2, 2025
View reviewed changes
.github/workflows/deploy-preview.yml
Comment on lines +15 to +29
run: |
echo "=== Workflow Debug Info ==="
echo "Event name: ${{ github.event_name }}"
if [ "${{ github.event_name }}" = "workflow_run" ]; then
echo "Workflow Run ID: ${{ github.event.workflow_run.id }}"
echo "Run Number: ${{ github.event.workflow_run.run_number }}"
echo "Head SHA: ${{ github.event.workflow_run.head_sha }}"
echo "Head Branch: ${{ github.event.workflow_run.head_branch }}"
else
echo "Push event details:"
echo "SHA: ${{ github.sha }}"
echo "Ref: ${{ github.ref }}"
echo "Branch: ${{ github.ref_name }}"
fi
echo "Repository: ${{ github.repository }}"

Check failure

Code scanning / CodeQL

Expression injection in Actions Critical

Potential injection from the ${{ github.event.workflow_run.head_branch }}, which may be controlled by an external user.

Copilot Autofix

AI about 2 months ago

To fix the issue, we will follow the recommended best practice of using environment variables and shell-native syntax to safely handle user-controlled input. Specifically, we will:

  1. Set the value of ${{ github.event.workflow_run.head_branch }} to an intermediate environment variable.
  2. Use the environment variable in the shell command with native syntax ($VAR) instead of expression syntax (${{ env.VAR }}).

This approach ensures that the input is treated as a literal string by the shell, preventing injection attacks.

Suggested changeset 1
.github/workflows/deploy-preview.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/deploy-preview.yml b/.github/workflows/deploy-preview.yml
--- a/.github/workflows/deploy-preview.yml
+++ b/.github/workflows/deploy-preview.yml
@@ -17,3 +17,5 @@
             echo "Event name: ${{ github.event_name }}"
-            if [ "${{ github.event_name }}" = "workflow_run" ]; then
+            if [ "${{ github.event_name }}" = "workflow_run" ]; then
+              export WORKFLOW_RUN_ID="${{ github.event.workflow_run.id }}"
+              export WORKFLOW_RUN_NUMBER="${{ github.event.workflow_run.run_number }}"
               echo "Workflow Run ID: ${{ github.event.workflow_run.id }}"
@@ -21,3 +23,4 @@
               echo "Head SHA: ${{ github.event.workflow_run.head_sha }}"
-              echo "Head Branch: ${{ github.event.workflow_run.head_branch }}"
+              export HEAD_BRANCH="${{ github.event.workflow_run.head_branch }}"
+              echo "Head Branch: $HEAD_BRANCH"
             else
@@ -84,3 +87,3 @@
             source_dir: . # Upload the root directory
-            destination_dir: ${{ github.event.workflow_run.id }}/open-bus/${{ github.event.workflow_run.run_number }}
+            destination_dir: ${{ env.WORKFLOW_RUN_ID }}/open-bus/${{ env.WORKFLOW_RUN_NUMBER }}
   
EOF
@@ -17,3 +17,5 @@
echo "Event name: ${{ github.event_name }}"
if [ "${{ github.event_name }}" = "workflow_run" ]; then
if [ "${{ github.event_name }}" = "workflow_run" ]; then
export WORKFLOW_RUN_ID="${{ github.event.workflow_run.id }}"
export WORKFLOW_RUN_NUMBER="${{ github.event.workflow_run.run_number }}"
echo "Workflow Run ID: ${{ github.event.workflow_run.id }}"
@@ -21,3 +23,4 @@
echo "Head SHA: ${{ github.event.workflow_run.head_sha }}"
echo "Head Branch: ${{ github.event.workflow_run.head_branch }}"
export HEAD_BRANCH="${{ github.event.workflow_run.head_branch }}"
echo "Head Branch: $HEAD_BRANCH"
else
@@ -84,3 +87,3 @@
source_dir: . # Upload the root directory
destination_dir: ${{ github.event.workflow_run.id }}/open-bus/${{ github.event.workflow_run.run_number }}
destination_dir: ${{ env.WORKFLOW_RUN_ID }}/open-bus/${{ env.WORKFLOW_RUN_NUMBER }}

Copilot is powered by AI and may make mistakes. Always verify output.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@AvivAbachi AvivAbachi Awaiting requested review from AvivAbachi AvivAbachi will be requested when the pull request is marked ready for review AvivAbachi is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

@ofirc77 ofirc77

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@ofirc77 @NoamGaash