ci(repo): skip permissions check for repository_dispatch#8234
ci(repo): skip permissions check for repository_dispatch#8234jacekradko merged 2 commits intomainfrom
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
🦋 Changeset detectedLatest commit: e09ad5f The changes in this PR will be included in the next version bump. This PR includes changesets to release 0 packagesWhen changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
@clerk/agent-toolkit
@clerk/astro
@clerk/backend
@clerk/chrome-extension
@clerk/clerk-js
@clerk/dev-cli
@clerk/expo
@clerk/expo-passkeys
@clerk/express
@clerk/fastify
@clerk/hono
@clerk/localizations
@clerk/nextjs
@clerk/nuxt
@clerk/react
@clerk/react-router
@clerk/shared
@clerk/tanstack-react-start
@clerk/testing
@clerk/ui
@clerk/upgrade
@clerk/vue
commit: |
jacekradko
changed the title
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Repository YAML (base), Organization UI (inherited) Review profile: ASSERTIVE Plan: Pro Run ID: 📒 Files selected for processing (1)
📝 WalkthroughWalkthroughThis pull request adds a changeset file and updates the e2e-staging GitHub Actions workflow. The workflow's 🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/e2e-staging.yml:
- Line 42: The validate-instances job allows repository_dispatch to reach a
checkout of github.event.client_payload.ref without ref validation; update the
validate-instances job to normalize and validate the incoming ref (same pattern
used by integration-tests) before any checkout or use of secrets: parse
client_payload.ref into a variable, match it against ^(main|release/.*)$ (or the
org-membership gate alternative), and only then perform the actions that check
out that ref and expose
INTEGRATION_INSTANCE_KEYS/INTEGRATION_STAGING_INSTANCE_KEYS; alternatively
reintroduce the org-membership gate for repository_dispatch so
repository_dispatch cannot bypass the existing membership check until the
explicit ref validation is added.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository YAML (base), Organization UI (inherited)
Review profile: ASSERTIVE
Plan: Pro
Run ID: 7246f6b1-7dbc-4737-9d08-851c73d0ce92
📒 Files selected for processing (2)
.changeset/skip-permissions-dispatch.md.github/workflows/e2e-staging.yml
2 participants
Summary
repository_dispatchevents in the e2e-staging workflowrepository_dispatchis already authenticated via a scoped PAT, so the org membership check is redundant and blocks automated triggers fromclerk/clerk_govalidate-instances,integration-tests) now tolerate a skippedpermissions-checkTest plan
repository_dispatchfromclerk/clerk_goand confirm it runs without the permissions failureworkflow_dispatchmanually and confirm the permissions check still runsSummary by CodeRabbit