fix: address CodeRabbit review feedback

- Pass composite action inputs via env vars to prevent script injection - Clamp progressBar percentage to [0,100] to prevent RangeError - Remove unreachable null from buildMilestoneBlock return type
2026-04-20 06:20:11 +00:00 · 2026-04-08 18:58:48 -07:00
parent 81777e2671
commit d45ec89066
2 changed files with 12 additions and 12 deletions
--- a/.github/actions/find-workflow-run/action.yaml
+++ b/.github/actions/find-workflow-run/action.yaml
@@ -30,20 +30,24 @@ runs:
    - name: Find workflow run
      id: find
      uses: actions/github-script@v8
+      env:
+        WORKFLOW_ID: ${{ inputs.workflow-id }}
+        HEAD_SHA: ${{ inputs.head-sha }}
+        NOT_FOUND_STATUS: ${{ inputs.not-found-status }}
      with:
        github-token: ${{ inputs.token }}
        script: |
          const { data: runs } = await github.rest.actions.listWorkflowRuns({
            owner: context.repo.owner,
            repo: context.repo.repo,
-            workflow_id: '${{ inputs.workflow-id }}',
-            head_sha: '${{ inputs.head-sha }}',
+            workflow_id: process.env.WORKFLOW_ID,
+            head_sha: process.env.HEAD_SHA,
            per_page: 1,
          });

          const run = runs.workflow_runs[0];
          if (!run) {
-            core.setOutput('status', '${{ inputs.not-found-status }}');
+            core.setOutput('status', process.env.NOT_FOUND_STATUS);
            return;
          }

--- a/scripts/coverage-slack-notify.ts
+++ b/scripts/coverage-slack-notify.ts
@@ -45,7 +45,8 @@ function parseLcov(filePath: string): CoverageData | null {
 }

 function progressBar(percentage: number): string {
-  const filled = Math.round((percentage / 100) * BAR_WIDTH)
+  const clamped = Math.max(0, Math.min(100, percentage))
+  const filled = Math.round((clamped / 100) * BAR_WIDTH)
  const empty = BAR_WIDTH - filled
  return '█'.repeat(filled) + '░'.repeat(empty)
 }
@@ -69,10 +70,7 @@ function crossedMilestone(prev: number, curr: number): number | null {
  return null
 }

-function buildMilestoneBlock(
-  label: string,
-  milestone: number
-): SlackBlock | null {
+function buildMilestoneBlock(label: string, milestone: number): SlackBlock {
  if (milestone >= TARGET) {
    return {
      type: 'section',
@@ -194,8 +192,7 @@ function main() {
      unitCurrent.percentage
    )
    if (milestone !== null) {
-      const block = buildMilestoneBlock('Unit test', milestone)
-      if (block) blocks.push(block)
+      blocks.push(buildMilestoneBlock('Unit test', milestone))
    }
  }

@@ -205,8 +202,7 @@ function main() {
      e2eCurrent.percentage
    )
    if (milestone !== null) {
-      const block = buildMilestoneBlock('E2E test', milestone)
-      if (block) blocks.push(block)
+      blocks.push(buildMilestoneBlock('E2E test', milestone))
    }
  }