Conversation
|
CLA Assistant Lite bot All contributors have signed the CLA ✍️ ✅ |
|
I have read the CLA Document and I hereby sign the CLA |
|
recheck |
berfinyuksel
force-pushed
the
frontend-build
branch
from
35da5b9 to
024b91e
Compare
There was a problem hiding this comment.
Pull request overview
Introduces a new GitHub Actions workflow for building the Studio frontend via a reusable workflow, and adjusts the static analysis workflow’s PHPStan matrix selection logic to support multiple PHP versions.
Changes:
- Added a new Studio frontend build workflow that delegates to
pimcore/workflows-collection-publicreusable workflow. - Added a backup (
.bak) version of the previous Studio frontend build workflow definition. - Updated static analysis matrix filtering to include configurations for multiple PHP versions parsed from
composer.json.
Reviewed changes
Copilot reviewed 2 out of 3 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
.github/workflows/studio-frontend-build.yaml.bak |
Adds a backup copy of the prior Studio frontend build workflow definition. |
.github/workflows/new-studio-frontend-build.yaml |
New workflow calling a reusable Studio frontend build workflow and requesting write permissions. |
.github/workflows/new-static-analysis.yaml |
Updates PHPStan matrix filtering to match multiple PHP versions. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| push: | ||
| paths: | ||
| - "assets/studio/**" | ||
| pull_request_target: |
There was a problem hiding this comment.
Using pull_request_target here can be dangerous if the reusable workflow checks out and executes code from the PR branch (e.g., npm install/npm run build), because it runs in the base-repo context. Consider switching to pull_request (read-only) or adding explicit safeguards (e.g., only run for same-repo PRs / trusted actors, require approval/label gating) to avoid exposing a write-scoped token to untrusted code.
| pull_request_target: | |
| pull_request: |
| with: | ||
| build-output-path: "./src/Resources/public/studio/" | ||
| permissions: | ||
| contents: write |
There was a problem hiding this comment.
permissions: contents: write in a workflow that can run on PRs (especially with pull_request_target) grants write access to the repository. If the intent is only to upload artifacts, consider reducing permissions; if the intent is to commit build output, consider restricting execution to trusted contexts to prevent abuse.
| contents: write | |
| contents: read |
|
|
||
| jobs: | ||
| studio-frontend-build: | ||
| uses: pimcore/workflows-collection-public/.github/workflows/reusable-studio-frontend-build.yaml@main |
There was a problem hiding this comment.
The reusable workflow is referenced by the moving @main ref. To make builds reproducible and reduce supply-chain risk, pin this to an immutable tag or commit SHA (or at least a dedicated release branch) as is done in other workflows (e.g., @v1.3.0, @reusable-workflows).
| uses: pimcore/workflows-collection-public/.github/workflows/reusable-studio-frontend-build.yaml@main | |
| uses: pimcore/workflows-collection-public/.github/workflows/reusable-studio-frontend-build.yaml@v1.3.0 |
|
Changes in this pull request
Resolves #
Additional info