Refactor Jest ci & Added comment workflow#6380
Open
sonalgaud12 wants to merge 3 commits intosugarlabs:masterfrom
Open
Refactor Jest ci & Added comment workflow#6380sonalgaud12 wants to merge 3 commits intosugarlabs:masterfrom
sonalgaud12 wants to merge 3 commits intosugarlabs:masterfrom
Conversation
Contributor
|
✅ All Jest tests passed! This PR is ready to merge. |
github-actions
bot
added
performance
Contributor
|
✅ All Jest tests passed! This PR is ready to merge. |
Contributor
mahesh-09-12
left a comment
mahesh-09-12
left a comment
There was a problem hiding this comment.
Nice split, using pull_request + workflow_run makes sense, just one thing - with --forceExit + continue-on-error, are we sure the test results we upload are always complete? Wondering if the comment job could pick up partial results in some cases.
also, do test failures still fail CI clearly, or are they mostly shown in the PR comment now?
Contributor
|
Hey @sonalgaud12 Reviewed the workflow changes—solid approach on the split between Open to collaborating on this? I've drafted a PR with solutions ready to go. |
yogibytes
added a commit
to yogibytes/SugarLabs-musicblocks
that referenced
this pull request
Mar 25, 2026
…t Listener Cleanup - Refactor Jest workflow into two independent workflows for better security * pr-jest-tests.yml: Runs tests with pull_request event (read-only permissions) * pr-jest-comment.yml: Posts results via workflow_run (trusted context) - Add artifact retention policy (7-day auto-cleanup) to prevent disk bloat - Add concurrency control to prevent duplicate PR comments on rapid commits - Add error handling for missing artifacts with graceful fallback - Reduce permissions scope in test job to contents: read only - Implement event listener cleanup to prevent accumulation vulnerability * Add _cleanupEventHandlers() method in Block class * Clean up CreateJS container event listeners * Clean up DOM event listeners from label input field * Call cleanup before marking blocks as trash in Blocks.moveToTrash() Security improvements address all 4 weak points from Jest workflow audit: ✅ Artifact Retention - retention-days: 7 ✅ Race Conditions - concurrency control group added ✅ Error Handling - continue-on-error: true with fallback ✅ Permissions - reduced to contents: read in untrusted context Fixes vulnerability identified in PR sugarlabs#6380 review. All 3948 Jest tests pass, no breaking changes.
yogibytes
added a commit
to yogibytes/SugarLabs-musicblocks
that referenced
this pull request
Mar 25, 2026
…t Listener Cleanup - Refactor Jest workflow into two independent workflows for better security * pr-jest-tests.yml: Runs tests with pull_request event (read-only permissions) * pr-jest-comment.yml: Posts results via workflow_run (trusted context) - Add artifact retention policy (7-day auto-cleanup) to prevent disk bloat - Add concurrency control to prevent duplicate PR comments on rapid commits - Add error handling for missing artifacts with graceful fallback - Reduce permissions scope in test job to contents: read only - Implement event listener cleanup to prevent accumulation vulnerability * Add _cleanupEventHandlers() method in Block class * Clean up CreateJS container event listeners * Clean up DOM event listeners from label input field * Call cleanup before marking blocks as trash in Blocks.moveToTrash() Security improvements address all 4 weak points from Jest workflow audit: [1] Artifact Retention - retention-days: 7 [2] Race Conditions - concurrency control group added [3] Error Handling - continue-on-error: true with fallback [4] Permissions - reduced to contents: read in untrusted context Fixes vulnerability identified in PR sugarlabs#6380 review. All 3948 Jest tests pass, no breaking changes.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Splits the Jest workflow into two:
pr-jest-tests.yml— runs tests, enforces results, uploads artifactspr-jest-comment.yml— posts/updates a PR comment with test results via workflow_runWhy
This follows GitHub's recommended pattern for PR workflows: untrusted code runs under the safer pull_request event (read-only permissions), while comment posting runs in a trusted workflow_run context with only pull-requests: write.
Key Changes
pr-jest-tests.ymlpull_request_target→pull_request; permissions reduced to contents: readAdded --forceExit, continue-on-error: true, and step outputs instead of env vars
Replaced PR comment posting with a GitHub Step Summary + artifact upload
pr-jest-comment.ymlDownloads artifacts from the test run, generates a pass / fail comment
Posts a new comment or updates an existing one (deduped via marker)
PR Category