update #179
update #179
Conversation
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
…r build it's freaking dying it's v22
…it it's not supposed to be that
who the heck put node v16 here bruh your builds gonna die if you use …
fix images when 404 is not in root
…hing of untrusted files Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Adding the PR number to key helps, but the generic restore-keys: ${{ runner.os }}-node- still lets trusted runs fall back to caches written by untrusted PRs (prefix matches ignore the suffix). A malicious PR can poison linux-node-<hash>-123, and the next default-branch run will happily restore it through that restore prefix—this is the very cache poisoning scenario we’re trying to close. Reorder the key so the PR identifier is in the prefix and scope the restore key to the same prefix.
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
Potential fix for code scanning alert no. 36: Cache Poisoning via caching of untrusted files
Revert "Cheetah"
Bumps [scratch-vm](https://github.com/OmniBlocks/scratch-vm) from `6fc3d31` to `e8e4f8b`. - [Commits](OmniBlocks/scratch-vm@6fc3d31...e8e4f8b) --- updated-dependencies: - dependency-name: scratch-vm dependency-version: e8e4f8b6ddb3fd584c8980eb686a4afc0577f099 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>
…ch-vm-e8e4f8b Bump scratch-vm from `6fc3d31` to `e8e4f8b`
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| - name: Install dependencies | ||
| run: npm ci | ||
|
|
||
| - name: Update comment - Building |
Check failure
Code scanning / CodeQL
Checkout of untrusted code in a privileged context Critical
| - name: Build website | ||
| run: npm run build | ||
| env: | ||
| NODE_ENV: production | ||
|
|
||
| - name: Add .nojekyll file | ||
| run: touch build/.nojekyll | ||
| # ============================================================ | ||
| # ANALYSIS PHASE - Using the same build! | ||
| # ============================================================ | ||
|
|
||
| - name: Update comment - Running Lighthouse |
Check failure
Code scanning / CodeQL
Checkout of untrusted code in a privileged context Critical
| - name: Install Lighthouse CI | ||
| run: npm install -g @lhci/cli@0.13.x | ||
|
|
||
| - name: Create Lighthouse config (filesystem only) |
Check failure
Code scanning / CodeQL
Checkout of untrusted code in a privileged context Critical
| - name: Run accessibility tests | ||
| id: a11y_test | ||
| continue-on-error: true | ||
| run: | | ||
| npx http-server build -p 9090 & | ||
| SERVER_PID=$! | ||
| echo "Waiting for server to start..." | ||
| for i in {1..30}; do | ||
| if curl -s http://localhost:9090 > /dev/null; then | ||
| echo "Server is ready!" | ||
| break | ||
| fi | ||
| echo "Attempt $i/30..." | ||
| sleep 2 | ||
| done | ||
| npm install -g @axe-core/cli@4.10.2 | ||
| # Separate stderr from JSON output | ||
| axe http://localhost:9090 --stdout 2>axe-errors.log > axe-results.json || true | ||
| kill $SERVER_PID || true | ||
|
|
||
| # Debug: show file size and first few lines | ||
| echo "axe-results.json size: $(wc -c < axe-results.json 2>/dev/null || echo 0) bytes" | ||
|
|
||
| if [ -f "axe-results.json" ] && [ -s "axe-results.json" ]; then | ||
| # Validate JSON before parsing - axe returns an array | ||
| if jq empty axe-results.json 2>/dev/null; then | ||
| # Parse violations and passes from the first result in the array | ||
| VIOLATIONS=$(jq '.[0].violations | length' axe-results.json 2>/dev/null || echo "0") | ||
| PASSES=$(jq '.[0].passes | length' axe-results.json 2>/dev/null || echo "0") | ||
| echo "Successfully parsed: $VIOLATIONS violations, $PASSES passes" | ||
| echo "a11y_success=true" >> $GITHUB_OUTPUT | ||
| echo "violations=$VIOLATIONS" >> $GITHUB_OUTPUT | ||
| echo "passes=$PASSES" >> $GITHUB_OUTPUT | ||
| else | ||
| echo "JSON parsing failed" | ||
| echo "a11y_success=false" >> $GITHUB_OUTPUT | ||
| echo "violations=error" >> $GITHUB_OUTPUT | ||
| echo "passes=error" >> $GITHUB_OUTPUT | ||
| fi | ||
| else | ||
| echo "File doesn't exist or is empty" | ||
| echo "a11y_success=false" >> $GITHUB_OUTPUT | ||
| echo "violations=error" >> $GITHUB_OUTPUT | ||
| echo "passes=error" >> $GITHUB_OUTPUT | ||
| fi | ||
|
|
||
| - name: Upload accessibility results |
Check failure
Code scanning / CodeQL
Checkout of untrusted code in a privileged context Critical
| - name: Visual regression - Install Playwright (only on code/test changes) | ||
| if: steps.paths.outputs.code == 'true' || steps.paths.outputs.tests == 'true' | ||
| run: | | ||
| npm ci | ||
| npx playwright install --with-deps | ||
|
|
||
| # ============================================================ | ||
| # DEPLOYMENT PHASE | ||
| # ============================================================ | ||
|
|
||
| - name: Update comment - Deploying |
Check failure
Code scanning / CodeQL
Checkout of untrusted code in a privileged context Critical
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
There was a problem hiding this comment.
Thank you for submitting this pull request.
High-level summary
This PR makes updates to CI workflows, increasing MAX_CHARS in .github/workflows/PRreview.yml, renaming and significantly expanding test steps in .github/workflows/prtest.yml (renamed as "Mega PR Test & Analysis"), updating .nvmrc, and including modifications to other files such as static/404.html and package-lock.json. The key improvements include enhanced PR checks and integration steps to handle more complex workflows and analyses.
Feedback & Suggestions
1. Obvious syntax/runtime errors or security issues
- No syntax issues were detected in the provided patches. All conditional logic, YAML formatting, and variable interpolations seem correct.
- Ensure that actions like
actions/checkout@v4,dorny/paths-filter@v2, andstyfle/cancel-workflow-action@0.12.0are compatible with your repository configuration and
🎉 MEGA PR Test & Analysis Complete!Hi @supervoidcoder! Your PR has been fully tested and analyzed! 🚀✨ 🌍 Test DeploymentLive Preview: https://OmniBlocks.github.io/scratch-gui/supervoidcoder/179/ 🔦 Performance Audit (Lighthouse)Core Scores:
📊 Detailed Performance Metrics:
📥 Download full Lighthouse report 📦 Bundle Size AnalysisTotal Build Size: 136M 📦 Top 5 Largest JavaScript Files:
🎨 Top 5 Largest CSS Files:
♿ Accessibility Testing
📊 Build Details
💡 Pro Tip: Only one build was needed for all these checks - saving CI/CD minutes! 🎯 |
|
Important Review skippedAuto reviews are disabled on base/target branches other than the default branch. Please check the settings in the CodeRabbit UI or the You can disable this status message by setting the ✨ Finishing touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
2 participants
Resolves
What Github issue does this resolve (if any, if not then please include link)?
Proposed Changes
Describe what this Pull Request does
Reason for Changes
Explain why these changes should be made. Why is this helpful or necessary? Why should this be added?
Test Coverage
Please show how you have added tests to cover your changes
Browser Coverage
Check the OS/browser combinations tested (At least 2)
Mac
Windows
Chromebook
iPad
Android Tablet