Skip to content

feat(ci): re-introduce pre-commit fixer workflow but limit autofixes for now #4162

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

feat(ci): re-introduce pre-commit fixer workflow but limit autofixes for now #4162

wants to merge 4 commits into from
+346 −6

Conversation

@ashwinb
Copy link
Contributor

@ashwinb ashwinb commented Nov 14, 2025
edited
Loading

  • pre-commit is not given the GITHUB_TOKEN so a malicious pre-commit from a fork cannot end up with write access to the repo
  • restrict the apply-pre-commit workflow to hooks that actually modify files so detection-only checks are skipped
  • clarify that the trusted subset now focuses on automatic fixes for commit-ready changes

@meta-cla meta-cla bot added the CLA Signed This label is managed by the Meta Open Source bot. label Nov 14, 2025
@ashwinb ashwinb changed the title Limit autofix workflow to auto-fixing hooks feat(ci): re-introduce pre-commit fixer workflow but limit autofixes for now Nov 14, 2025
ashwinb
ashwinb commented Nov 14, 2025
View reviewed changes
.github/workflows/pre-commit-fix.yml
run-name: Apply a subset of pre-commit fixes

on:
workflow_dispatch:
Copy link
Contributor Author

@ashwinb ashwinb Nov 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

security guardrail #1: manual workflow dispatch

ashwinb
ashwinb commented Nov 14, 2025
View reviewed changes
.github/workflows/pre-commit-fix.yml
fetch-depth: 0
persist-credentials: false

- name: Retrieve trusted pre-commit config
Copy link
Contributor Author

@ashwinb ashwinb Nov 14, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Security guardrail #2 (but also limitation): don't trust the pre commit config from the PR

ashwinb
ashwinb commented Nov 14, 2025
View reviewed changes
.github/workflows/pre-commit-fix.yml
env:
GITHUB_TOKEN: ''

- name: Run trusted pre-commit subset
Copy link
Contributor Author

@ashwinb ashwinb Nov 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Guardrail #3: only run a small subset of pre-commit hooks. Things like "npm ci" have vulnerabilities. We should likely include more of our custom things here but I think like above, should use "main" as the source of truth of the hook.

@mergify
Copy link

mergify bot commented Nov 15, 2025

This pull request has merge conflicts that must be resolved before it can be merged. @ashwinb please rebase it. https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/working-with-forks/syncing-a-fork

@mergify mergify bot added the needs-rebase label Nov 15, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@yanxi0830 yanxi0830 Awaiting requested review from yanxi0830

@hardikjshah hardikjshah Awaiting requested review from hardikjshah

@raghotham raghotham Awaiting requested review from raghotham raghotham is a code owner

@ehhuang ehhuang Awaiting requested review from ehhuang ehhuang is a code owner

@terrytangyuan terrytangyuan Awaiting requested review from terrytangyuan

@leseb leseb Awaiting requested review from leseb leseb is a code owner

@bbrowning bbrowning Awaiting requested review from bbrowning bbrowning is a code owner

@reluctantfuturist reluctantfuturist Awaiting requested review from reluctantfuturist

@mattf mattf Awaiting requested review from mattf mattf is a code owner

@slekkala1 slekkala1 Awaiting requested review from slekkala1

@franciscojavierarceo franciscojavierarceo Awaiting requested review from franciscojavierarceo franciscojavierarceo is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

CLA Signed This label is managed by the Meta Open Source bot. codex needs-rebase

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ashwinb