Add a workflow to print bundle size #150
Conversation
|
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
|
The trusted part of the workflow won't work until we merge, so we'll have to wait with testing |
|
Wonderful job! I'm wondering why you had to split it into two parts. |
|
It has to do with security. The untrusted part of the workflow runs on the PR branch, and theoretically, someone could submit a malicious PR that changes the workflow to do something bad. We wouldn't want to run this workflow with a token that has write access, so GitHub runs it with the read access by default. However, that means we don't have permissions to "write" comments on PRs. In this setup, we run a read-only workflow in untrusted land and then publish a plain-text artifact that can then be safely downloaded and parsed in the trusted land without executing any unsafe code |
|
Got it. I'm not a big pro in GH Actions, so it may sound stupid to you, but can't we just do all the needed jobs in the "trusted land"? So we don't split the workflow into 2 parts and keep it simpler |
|
We can't, because the reason why the trusted land is trusted is because there is no external code from the PR :) We want to run some safe operations on external code in untrusted land (i.e. counting the bundle size) and then publish a comment in trusted land |
|
Got it, then yes, let's end the "Guardians of the Trusted Land" saga 😂 and merge it
|
commit: |
Closes #148. I wanted to find an existing solution, but they all suck in some ways, so I just decided to write my own one