Fix variable reference for PR_REF in workflow #1878
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
paulinebm
previously approved these changes
Dec 11, 2025
coyotte508
reviewed
Dec 11, 2025
.github/workflows/test.yml
Outdated
| then | ||
| echo "SINCE=${{ github.sha }}^1" >> $GITHUB_OUTPUT | ||
| else | ||
| echo "SINCE=$(git merge-base origin/${{ github.event.pull_request.base.ref }} ${{ github.sha }})" >> $GITHUB_OUTPUT |
Contributor
Author
There was a problem hiding this comment.
not needed, base.ref is main.
Member
There was a problem hiding this comment.
unless you do a PR on top of another PR?
Member
There was a problem hiding this comment.
(ok to merge after this is is fixed, for me)
There was a problem hiding this comment.
unless you do a PR on top of another PR?
In this case, the workflow won't be trigger in our repository (if the the base PR is also in a forked repository), or if the base PR is a branch in our repository, there should be no security issue as the branch is created by a team member (if we assume we could trust team members for branch name).
But I personally go for avoiding any {{ }} and use env variables.
I don't push the change, but here it is
(with the help of AI, need review if you take it)
name: Test
on:
pull_request:
push:
branches:
- main
jobs:
node:
runs-on: ubuntu-latest
timeout-minutes: 10
steps:
- uses: actions/checkout@v3
with:
# Could use something like rmacklin/fetch-through-merge-base@v0 instead when the repo gets bigger
fetch-depth: 0
- name: "Extracting the merge base into 'SINCE'"
id: since
env:
PR_REF: ${{ github.event.pull_request.head.ref }}
PR_BASE_REF: ${{ github.event.pull_request.base.ref }}
GITHUB_SHA: ${{ github.sha }}
run: |
if [ -z "$PR_REF" ]
then
echo "SINCE=${GITHUB_SHA}^1" >> $GITHUB_OUTPUT
else
echo "SINCE=$(git merge-base origin/${PR_BASE_REF} ${GITHUB_SHA})" >> $GITHUB_OUTPUT
fi
- run: npm install -g corepack@latest && corepack enable
- uses: actions/setup-node@v3
with:
node-version: "20"
cache: "pnpm"
cache-dependency-path: "**/pnpm-lock.yaml"
- name: Install and build
env:
SINCE_REF: ${{ steps.since.outputs.SINCE }}
run: |
pnpm install --frozen-lockfile --filter .
pnpm install --frozen-lockfile --filter ...["${SINCE_REF}"]...
pnpm --filter ...["${SINCE_REF}"]... build
- name: Test
env:
SINCE_REF: ${{ steps.since.outputs.SINCE }}
HF_TOKEN: ${{ secrets.HF_TOKEN }}
run: pnpm --filter ...["${SINCE_REF}"] test
browser:
runs-on: ubuntu-latest
timeout-minutes: 10
steps:
- uses: actions/checkout@v3
with:
# Could use something like rmacklin/fetch-through-merge-base@v0 instead when the repo gets bigger
fetch-depth: 0
- name: "Extracting the merge base into 'SINCE'"
id: since
env:
PR_REF: ${{ github.event.pull_request.head.ref }}
PR_BASE_REF: ${{ github.event.pull_request.base.ref }}
GITHUB_SHA: ${{ github.sha }}
run: |
if [ -z "$PR_REF" ]
then
echo "SINCE=${GITHUB_SHA}^1" >> $GITHUB_OUTPUT
else
echo "SINCE=$(git merge-base origin/${PR_BASE_REF} ${GITHUB_SHA})" >> $GITHUB_OUTPUT
fi
- run: google-chrome --version
- run: npm install -g corepack@latest && corepack enable
- uses: actions/setup-node@v3
with:
node-version: "22"
cache: "pnpm"
cache-dependency-path: "**/pnpm-lock.yaml"
- name: Install and build
env:
SINCE_REF: ${{ steps.since.outputs.SINCE }}
run: |
pnpm install --frozen-lockfile --filter .
pnpm install --frozen-lockfile --filter ...["${SINCE_REF}"]...
pnpm --filter ...["${SINCE_REF}"]... build
- name: Test in browser
env:
SINCE_REF: ${{ steps.since.outputs.SINCE }}
HF_TOKEN: ${{ secrets.HF_TOKEN }}
run: pnpm --filter ...["${SINCE_REF}"] test:browser
e2e:
runs-on: ubuntu-latest
timeout-minutes: 10
steps:
- uses: actions/checkout@v3
- run: npm install -g corepack@latest && corepack enable
- uses: actions/setup-node@v3
with:
node-version: "20"
cache: "pnpm"
cache-dependency-path: "**/pnpm-lock.yaml"
- name: E2E - start mock npm registry
run: |
npm i -g verdaccio verdaccio-memory verdaccio-auth-memory
echo >> .npmrc
echo "//localhost:4874/:_authToken=1FlYaQkIdHsIztXCHmqu9g==" >> .npmrc
npx verdaccio --listen 4874 --config e2e/mock-registry-config.yaml &
- name: E2E test - publish packages to mock repo
working-directory: e2e
run: |
sleep 3
pnpm i --filter root --filter inference... --filter hub... --filter tasks-gen --frozen-lockfile
pnpm --filter inference --filter hub --filter tasks --filter jinja publish --force --no-git-checks --registry http://localhost:4874/
- name: E2E test - test yarn install
working-directory: e2e/ts
run: |
npm i -g yarn --force
# yarn now looks at root package.json for the package manager...
mv ../../package.json ../../package.json.bk
yarn install --registry http://localhost:4874/
mv ../../package.json.bk ../../package.json
- name: E2E test - typescript node project
working-directory: e2e/ts
env:
HF_TOKEN: ${{ secrets.HF_TOKEN }}
run: |
pnpm i --ignore-workspace --registry http://localhost:4874/
pnpm start
- name: E2E test - svelte app build
working-directory: e2e/svelte
run: |
pnpm i --ignore-workspace --registry http://localhost:4874/
pnpm build
pnpm run test:browser
- uses: denoland/setup-deno@v1
with:
deno-version: vx.x.x
- name: E2E test - deno import from npm
working-directory: e2e/deno
env:
NPM_CONFIG_REGISTRY: http://localhost:4874/
HF_TOKEN: ${{ secrets.HF_TOKEN }}
run: deno run --allow-read --allow-net --allow-env=HF_TOKEN index.ts
ydshieh
previously approved these changes
Dec 12, 2025
ydshieh
left a comment
ydshieh
left a comment
There was a problem hiding this comment.
LGTM, although I personally would change any usage (( ... }} to env. variables.
coyotte508
previously approved these changes
Dec 12, 2025
coyotte508
reviewed
Dec 12, 2025
Comment on lines
+25
to
+29
| echo "SINCE=$(git merge-base $BASE_REF $SHA)" >> $GITHUB_OUTPUT | ||
| fi | ||
| env: | ||
| PR_REF: ${{ github.event.pull_request.head.ref }} | ||
| BASE_REF: origin/${{ github.event.pull_request.base.ref }} |
Member
There was a problem hiding this comment.
here, maybe it'll fix the lint problem we've had (lint job succeeding before merging)
cc @Wauplin for viz
coyotte508
approved these changes
Dec 12, 2025
Member
|
needs an approval from @huggingface/security before it can be merged |
ydshieh
reviewed
Dec 12, 2025
| echo "SINCE=$SHA^1" >> $GITHUB_OUTPUT | ||
| else | ||
| echo "SINCE=$(git merge-base origin/$PR_REF $SHA)" >> $GITHUB_OUTPUT | ||
| echo "SINCE=$(git merge-base $BASE_REF $SHA)" >> $GITHUB_OUTPUT |
There was a problem hiding this comment.
I leave this for you two. For security issue we intent to fix, this current version is good.
Member
|
merged via git since I couldn't do it on github interface |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.