security-wg icon indicating copy to clipboard operation
security-wg copied to clipboard

Published 20 hours ago verified publisher icon nodejs

Ping TSC on deps update not from GithubBot

Open marco-ippolito opened this issue 1 year ago • 11 comments

We receive dependency update such as https://github.com/nodejs/node/pull/53406 that are created by users that might be hard and risky to review. We should probably ping TSC whenever we receive changes in the deps folder not from a GithubBot

marco-ippolito avatar Jun 13 '24 15:06 marco-ippolito

I strongly agree

UlisesGascon avatar Jun 13 '24 15:06 UlisesGascon

Context: https://openjs-foundation.slack.com/archives/C03Q9MS3KFB/p1718290908194829?thread_ts=1718036013.366919&cid=C03Q9MS3KFB

RafaelGSS avatar Jun 13 '24 17:06 RafaelGSS

To create a comment in a PR in nodejs/node repository, even when providing a PR from a fork you need to listen on a pull_request_target event . This can have security implications. Maybe @lirantal wants to comment on that.

I dont think we need to write a new action.

So something like the following could be enough? Untested(!)

on:
  pull_request_target:
    paths:
      - 'deps/**'

jobs:
  ping-tsc:
    runs-on: ubuntu-latest
    name: Ping the TSC
    steps:
      - name: Ping the TSC
        if: >
          github.event.pull_request.user.login != 'nodejs-github-bot'
        uses: thollander/actions-comment-pull-request@v2
        with:
          message: Pinging @tsc because of an irregular change in the deps folder
          comment_tag: ping-tsc

Uzlopak avatar Jun 13 '24 20:06 Uzlopak

Maybe it makes also sense to add a "blocked" label to the PR.

Uzlopak avatar Jun 13 '24 21:06 Uzlopak

We should probably ping TSC whenever we receive changes in the deps folder not from a GithubBot

Pinging the TSC for changes to deps should be easy (add them as a CODEOWNER and then our bot should then ping the team in a comment to the PR) but we have no logic AFAIK for checking who originated the PR.

richardlau avatar Jun 13 '24 22:06 richardlau

I can make a workflow if you'd like

avivkeller avatar Jun 14 '24 13:06 avivkeller

~~https://github.com/nodejs/node/pull/53149 migrates the requesting reviews to GitHub actions, and also implements this in the process~~

avivkeller avatar Jun 17 '24 19:06 avivkeller

PR - to add guidance to contributing docs - https://github.com/nodejs/node/pull/53499

mhdawson avatar Jun 18 '24 14:06 mhdawson

Thinking about this a bit, instead of a ping to the TSC, I think adding a comment to the PR with a warning to collaborators that updates to dependencies should generally be generated by the automation and pointing to https://github.com/nodejs/node/blob/main/doc/contributing/maintaining/maintaining-dependencies.md#updating-dependencies for more information would be more beneficial.

mhdawson avatar Jun 20 '24 16:06 mhdawson

I can modify my PR if you'd like

avivkeller avatar Jun 20 '24 16:06 avivkeller

This issue has been inactive for 90 days. It will be closed in 14 days unless there is further activity or the stale label is taken off.

github-actions[bot] avatar Sep 19 '24 00:09 github-actions[bot]

This issue has been inactive for 90 days. It will be closed in 14 days unless there is further activity or the stale label is taken off.

github-actions[bot] avatar Dec 19 '24 00:12 github-actions[bot]