From 982b16d60e637a41b9c2e7c347869c1260b9ee90 Mon Sep 17 00:00:00 2001 From: lauren Date: Fri, 21 Mar 2025 16:32:38 -0400 Subject: [PATCH 1/6] [ci] Fix permissions and don't use pull_request_target (#7689) Defaults permissions to none for all workflows, and only request extra permissions when needed. Similar to https://github.com/facebook/react/pull/32708, prefer the less permissive `pull_request` trigger instead. --- .github/workflows/analyze.yml | 4 +++- .github/workflows/analyze_comment.yml | 4 +++- .github/workflows/discord_notify.yml | 7 ++++++- .github/workflows/label_core_team_prs.yml | 12 +++++++++++- .github/workflows/site_lint.yml | 4 +++- 5 files changed, 26 insertions(+), 5 deletions(-) diff --git a/.github/workflows/analyze.yml b/.github/workflows/analyze.yml index b1ef428d0..13c9c844a 100644 --- a/.github/workflows/analyze.yml +++ b/.github/workflows/analyze.yml @@ -7,6 +7,8 @@ on: - main # change this if your default branch is named differently workflow_dispatch: +permissions: {} + jobs: analyze: runs-on: ubuntu-latest @@ -23,7 +25,7 @@ jobs: - name: Restore cached node_modules uses: actions/cache@v4 with: - path: "**/node_modules" + path: '**/node_modules' key: node_modules-${{ runner.arch }}-${{ runner.os }}-${{ hashFiles('yarn.lock') }} - name: Install deps diff --git a/.github/workflows/analyze_comment.yml b/.github/workflows/analyze_comment.yml index 5a3047cfc..7e5a24d04 100644 --- a/.github/workflows/analyze_comment.yml +++ b/.github/workflows/analyze_comment.yml @@ -2,10 +2,12 @@ name: Analyze Bundle (Comment) on: workflow_run: - workflows: ["Analyze Bundle"] + workflows: ['Analyze Bundle'] types: - completed +permissions: {} + jobs: comment: runs-on: ubuntu-latest diff --git a/.github/workflows/discord_notify.yml b/.github/workflows/discord_notify.yml index a4b8c9137..a553b23a0 100644 --- a/.github/workflows/discord_notify.yml +++ b/.github/workflows/discord_notify.yml @@ -1,12 +1,17 @@ name: Discord Notify on: - pull_request_target: + pull_request: types: [opened, ready_for_review] +permissions: {} + jobs: check_maintainer: uses: facebook/react/.github/workflows/shared_check_maintainer.yml@main + permissions: + # Used by check_maintainer + contents: read with: actor: ${{ github.event.pull_request.user.login }} is_remote: true diff --git a/.github/workflows/label_core_team_prs.yml b/.github/workflows/label_core_team_prs.yml index 3d9fa2be1..6099b8fcb 100644 --- a/.github/workflows/label_core_team_prs.yml +++ b/.github/workflows/label_core_team_prs.yml @@ -1,7 +1,9 @@ name: Label Core Team PRs on: - pull_request_target: + pull_request: + +permissions: {} env: TZ: /usr/share/zoneinfo/America/Los_Angeles @@ -11,6 +13,9 @@ env: jobs: check_maintainer: uses: facebook/react/.github/workflows/shared_check_maintainer.yml@main + permissions: + # Used by check_maintainer + contents: read with: actor: ${{ github.event.pull_request.user.login }} is_remote: true @@ -19,6 +24,11 @@ jobs: if: ${{ needs.check_maintainer.outputs.is_core_team == 'true' }} runs-on: ubuntu-latest needs: check_maintainer + permissions: + # Used to add labels on issues + issues: write + # Used to add labels on PRs + pull-requests: write steps: - name: Label PR as React Core Team uses: actions/github-script@v7 diff --git a/.github/workflows/site_lint.yml b/.github/workflows/site_lint.yml index 36f7642c9..81a04601c 100644 --- a/.github/workflows/site_lint.yml +++ b/.github/workflows/site_lint.yml @@ -7,6 +7,8 @@ on: pull_request: types: [opened, synchronize, reopened] +permissions: {} + jobs: lint: runs-on: ubuntu-latest @@ -25,7 +27,7 @@ jobs: - name: Restore cached node_modules uses: actions/cache@v4 with: - path: "**/node_modules" + path: '**/node_modules' key: node_modules-${{ runner.arch }}-${{ runner.os }}-${{ hashFiles('yarn.lock') }} - name: Install deps From f6d762cbbf958ca45bb8d1d011b31e5289e43a3d Mon Sep 17 00:00:00 2001 From: lauren Date: Fri, 21 Mar 2025 16:32:50 -0400 Subject: [PATCH 2/6] [ci] Pin 3rd party actions to specific hash (#7690) * [ci] Fix permissions and don't use pull_request_target Defaults permissions to none for all workflows, and only request extra permissions when needed. Similar to https://github.com/facebook/react/pull/32708, prefer the less permissive `pull_request` trigger instead. * [ci] Pin 3rd party actions to specific hash --- .github/workflows/analyze.yml | 2 +- .github/workflows/analyze_comment.yml | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/analyze.yml b/.github/workflows/analyze.yml index 13c9c844a..83e7f2e8a 100644 --- a/.github/workflows/analyze.yml +++ b/.github/workflows/analyze.yml @@ -57,7 +57,7 @@ jobs: name: bundle_analysis.json - name: Download base branch bundle stats - uses: dawidd6/action-download-artifact@v2 + uses: dawidd6/action-download-artifact@268677152d06ba59fcec7a7f0b5d961b6ccd7e1e if: success() && github.event.number with: workflow: analyze.yml diff --git a/.github/workflows/analyze_comment.yml b/.github/workflows/analyze_comment.yml index 7e5a24d04..1e086b9b7 100644 --- a/.github/workflows/analyze_comment.yml +++ b/.github/workflows/analyze_comment.yml @@ -16,7 +16,7 @@ jobs: github.event.workflow_run.conclusion == 'success' }} steps: - name: Download base branch bundle stats - uses: dawidd6/action-download-artifact@v2 + uses: dawidd6/action-download-artifact@268677152d06ba59fcec7a7f0b5d961b6ccd7e1e with: workflow: analyze.yml run_id: ${{ github.event.workflow_run.id }} @@ -24,7 +24,7 @@ jobs: path: analysis_comment.txt - name: Download PR number - uses: dawidd6/action-download-artifact@v2 + uses: dawidd6/action-download-artifact@268677152d06ba59fcec7a7f0b5d961b6ccd7e1e with: workflow: analyze.yml run_id: ${{ github.event.workflow_run.id }} @@ -50,7 +50,7 @@ jobs: echo "pr-number=$pr_number" >> $GITHUB_OUTPUT - name: Comment - uses: marocchino/sticky-pull-request-comment@v2 + uses: marocchino/sticky-pull-request-comment@52423e01640425a022ef5fd42c6fb5f633a02728 with: header: next-bundle-analysis number: ${{ steps.get-comment-body.outputs.pr-number }} From 0bc63000f74b3889b141dd4f4f8c1b817cd70d5a Mon Sep 17 00:00:00 2001 From: Ricky Date: Mon, 24 Mar 2025 15:46:53 -0400 Subject: [PATCH 3/6] [ci] fix notify for forks (#7694) --- .github/workflows/discord_notify.yml | 2 +- .github/workflows/label_core_team_prs.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/discord_notify.yml b/.github/workflows/discord_notify.yml index a553b23a0..8314deb3a 100644 --- a/.github/workflows/discord_notify.yml +++ b/.github/workflows/discord_notify.yml @@ -1,7 +1,7 @@ name: Discord Notify on: - pull_request: + pull_request_target: types: [opened, ready_for_review] permissions: {} diff --git a/.github/workflows/label_core_team_prs.yml b/.github/workflows/label_core_team_prs.yml index 6099b8fcb..529d7cc48 100644 --- a/.github/workflows/label_core_team_prs.yml +++ b/.github/workflows/label_core_team_prs.yml @@ -1,7 +1,7 @@ name: Label Core Team PRs on: - pull_request: + pull_request_target: permissions: {} From 9b2ad174d0971230f2ba02d1a2c4580469c7fa86 Mon Sep 17 00:00:00 2001 From: lauren Date: Mon, 24 Mar 2025 16:40:33 -0400 Subject: [PATCH 4/6] [ci] Remove unused param (#7695) https://github.com/facebook/react/pull/32727 removes the `is_remote` param. --- .github/workflows/discord_notify.yml | 1 - .github/workflows/label_core_team_prs.yml | 1 - 2 files changed, 2 deletions(-) diff --git a/.github/workflows/discord_notify.yml b/.github/workflows/discord_notify.yml index 8314deb3a..2f5b2a497 100644 --- a/.github/workflows/discord_notify.yml +++ b/.github/workflows/discord_notify.yml @@ -14,7 +14,6 @@ jobs: contents: read with: actor: ${{ github.event.pull_request.user.login }} - is_remote: true notify: if: ${{ needs.check_maintainer.outputs.is_core_team == 'true' }} diff --git a/.github/workflows/label_core_team_prs.yml b/.github/workflows/label_core_team_prs.yml index 529d7cc48..f9b3328ee 100644 --- a/.github/workflows/label_core_team_prs.yml +++ b/.github/workflows/label_core_team_prs.yml @@ -18,7 +18,6 @@ jobs: contents: read with: actor: ${{ github.event.pull_request.user.login }} - is_remote: true label: if: ${{ needs.check_maintainer.outputs.is_core_team == 'true' }} From 6788f6bade9bd11c3c7f0cdad620501e2063c4e5 Mon Sep 17 00:00:00 2001 From: Alberto Velandia Date: Mon, 24 Mar 2025 15:47:47 -0700 Subject: [PATCH 5/6] Fixes typo (#7688) --- src/content/reference/react-dom/hooks/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/reference/react-dom/hooks/index.md b/src/content/reference/react-dom/hooks/index.md index 73eefae75..5dfb07d82 100644 --- a/src/content/reference/react-dom/hooks/index.md +++ b/src/content/reference/react-dom/hooks/index.md @@ -14,7 +14,7 @@ The `react-dom` package contains Hooks that are only supported for web applicati *Forms* let you create interactive controls for submitting information. To manage forms in your components, use one of these Hooks: -* [`useFormStatus`](/reference/react-dom/hooks/useFormStatus) allows you to make updates to the UI based on the status of the a form. +* [`useFormStatus`](/reference/react-dom/hooks/useFormStatus) allows you to make updates to the UI based on the status of a form. ```js function Form({ action }) { From 2859efa07357dfc2927517ce9765515acf903c7c Mon Sep 17 00:00:00 2001 From: Petr Chalupa Date: Tue, 25 Mar 2025 22:28:39 +0100 Subject: [PATCH 6/6] Add React Prague community (#7279) * Add React Prague community * Update link --- src/content/community/meetups.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/content/community/meetups.md b/src/content/community/meetups.md index 906c170de..b3290a004 100644 --- a/src/content/community/meetups.md +++ b/src/content/community/meetups.md @@ -47,6 +47,9 @@ Do you have a local React.js meetup? Add it here! (Please keep the list alphabet ## Colombia {/*colombia*/} * [Medellin](https://www.meetup.com/React-Medellin/) +## Czechia {/*czechia*/} +* [Prague](https://guild.host/react-prague/) + ## Denmark {/*denmark*/} * [Aalborg](https://www.meetup.com/Aalborg-React-React-Native-Meetup/) * [Aarhus](https://www.meetup.com/Aarhus-ReactJS-Meetup/)