mirror of
https://github.com/Comfy-Org/ComfyUI_frontend.git
synced 2026-03-08 14:39:58 +00:00
6689a1b14e
## Summary Perf report workflow fails on fork PRs because `GITHUB_TOKEN` is read-only for forks, causing "Resource not accessible by integration" on the PR comment step. ## Changes - **What**: Split `ci-perf-report.yaml` into a data-collection workflow + a `workflow_run`-triggered reporter (`pr-perf-report.yaml`), matching the existing `ci-size-data`/`pr-size-report` pattern. Added fork PR permissions guidance to `.github/AGENTS.md`. - **ci-perf-report.yaml**: Removed the `report` job and `pull-requests: write` permission. Added PR metadata (number + base branch) artifact upload. - **pr-perf-report.yaml** (new): Triggered by `workflow_run` on the perf workflow. Downloads metrics + metadata artifacts, generates report, posts PR comment with write permissions from the default-branch context. ## Review Focus - The two-workflow split follows the same pattern as `ci-size-data.yaml` → `pr-size-report.yaml`, which already works for fork PRs. - The `workflow_run` trigger runs in the base repo context per [GitHub Security Lab guidance](https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/), so it safely has write permissions even for fork PRs. - AGENTS.md guidance documents this pattern to prevent recurrence. Fixes the failure seen in https://github.com/Comfy-Org/ComfyUI_frontend/actions/runs/22684230751/job/65763595989?pr=9380 ┆Issue is synchronized with this [Notion page](https://www.notion.so/PR-9382-fix-split-perf-report-workflow-for-fork-PR-support-3196d73d365081b29b35ed354e7789e2) by [Unito](https://www.unito.io)
134 lines
4.7 KiB
YAML
134 lines
4.7 KiB
YAML
name: 'PR: Size Report'
|
|
|
|
on:
|
|
workflow_run:
|
|
workflows: ['CI: Size Data']
|
|
types:
|
|
- completed
|
|
workflow_dispatch:
|
|
inputs:
|
|
pr_number:
|
|
description: 'PR number to report on'
|
|
required: true
|
|
type: number
|
|
run_id:
|
|
description: 'Size data workflow run ID'
|
|
required: true
|
|
type: string
|
|
|
|
permissions:
|
|
contents: read
|
|
pull-requests: write
|
|
issues: write
|
|
|
|
jobs:
|
|
comment:
|
|
runs-on: ubuntu-latest
|
|
if: >
|
|
github.repository == 'Comfy-Org/ComfyUI_frontend' &&
|
|
(
|
|
(github.event_name == 'workflow_run' &&
|
|
github.event.workflow_run.event == 'pull_request' &&
|
|
github.event.workflow_run.conclusion == 'success') ||
|
|
github.event_name == 'workflow_dispatch'
|
|
)
|
|
steps:
|
|
- uses: actions/checkout@v6
|
|
|
|
- name: Setup frontend
|
|
uses: ./.github/actions/setup-frontend
|
|
|
|
- name: Download size data
|
|
uses: dawidd6/action-download-artifact@0bd50d53a6d7fb5cb921e607957e9cc12b4ce392 # v12
|
|
with:
|
|
name: size-data
|
|
run_id: ${{ github.event_name == 'workflow_dispatch' && inputs.run_id || github.event.workflow_run.id }}
|
|
path: temp/size
|
|
|
|
- name: Resolve and validate PR metadata
|
|
id: pr-meta
|
|
uses: actions/github-script@v8
|
|
with:
|
|
script: |
|
|
const fs = require('fs');
|
|
|
|
// workflow_dispatch: validate artifact metadata against API-resolved PR
|
|
if (context.eventName === 'workflow_dispatch') {
|
|
const pullNumber = Number('${{ inputs.pr_number }}');
|
|
const { data: dispatchPr } = await github.rest.pulls.get({
|
|
owner: context.repo.owner,
|
|
repo: context.repo.repo,
|
|
pull_number: pullNumber,
|
|
});
|
|
|
|
const artifactPr = Number(fs.readFileSync('temp/size/number.txt', 'utf8').trim());
|
|
const artifactBase = fs.readFileSync('temp/size/base.txt', 'utf8').trim();
|
|
|
|
if (artifactPr !== dispatchPr.number) {
|
|
core.setFailed(`Artifact PR number (${artifactPr}) does not match dispatch PR (${dispatchPr.number}).`);
|
|
return;
|
|
}
|
|
if (artifactBase !== dispatchPr.base.ref) {
|
|
core.setFailed(`Artifact base (${artifactBase}) does not match dispatch PR base (${dispatchPr.base.ref}).`);
|
|
return;
|
|
}
|
|
|
|
core.setOutput('number', String(dispatchPr.number));
|
|
core.setOutput('base', dispatchPr.base.ref);
|
|
return;
|
|
}
|
|
|
|
// workflow_run: validate artifact metadata against trusted context
|
|
const artifactPr = Number(fs.readFileSync('temp/size/number.txt', 'utf8').trim());
|
|
const artifactBase = fs.readFileSync('temp/size/base.txt', 'utf8').trim();
|
|
|
|
let pr = context.payload.workflow_run.pull_requests?.[0];
|
|
if (!pr) {
|
|
const { data: prs } = await github.rest.repos.listPullRequestsAssociatedWithCommit({
|
|
owner: context.repo.owner,
|
|
repo: context.repo.repo,
|
|
commit_sha: context.payload.workflow_run.head_sha,
|
|
});
|
|
pr = prs.find(p => p.state === 'open');
|
|
}
|
|
|
|
if (!pr) {
|
|
core.setFailed('Unable to resolve PR from workflow_run context.');
|
|
return;
|
|
}
|
|
|
|
if (Number(pr.number) !== artifactPr) {
|
|
core.setFailed(`Artifact PR number (${artifactPr}) does not match trusted context (${pr.number}).`);
|
|
return;
|
|
}
|
|
|
|
const trustedBase = pr.base?.ref;
|
|
if (!trustedBase || artifactBase !== trustedBase) {
|
|
core.setFailed(`Artifact base (${artifactBase}) does not match trusted context (${trustedBase}).`);
|
|
return;
|
|
}
|
|
|
|
core.setOutput('number', String(pr.number));
|
|
core.setOutput('base', trustedBase);
|
|
|
|
- name: Download previous size data
|
|
uses: dawidd6/action-download-artifact@0bd50d53a6d7fb5cb921e607957e9cc12b4ce392 # v12
|
|
with:
|
|
branch: ${{ steps.pr-meta.outputs.base }}
|
|
workflow: ci-size-data.yaml
|
|
event: push
|
|
name: size-data
|
|
path: temp/size-prev
|
|
if_no_artifact_found: warn
|
|
|
|
- name: Generate size report
|
|
run: node scripts/size-report.js > size-report.md
|
|
|
|
- name: Post PR comment
|
|
uses: ./.github/actions/post-pr-report-comment
|
|
with:
|
|
pr-number: ${{ steps.pr-meta.outputs.number }}
|
|
report-file: ./size-report.md
|
|
comment-marker: '<!-- COMFYUI_FRONTEND_SIZE -->'
|
|
token: ${{ secrets.GITHUB_TOKEN }}
|