Fix security vulnerability in workflows (rrweb-io#1804)

* Fix a security hole in rrweb-io#1787 found by Arun Murugesan:

"The workflow .github/workflows/eslint-check.yml contained a critical "pwn request" vulnerability that allows any GitHub user to execute arbitrary code with access to repository secrets by opening a pull request."

See preactjs/compressed-size-action#54 for why that action shouldn't be used with pull_request_target

This change in this PR drops compressed-size-action in favour of executing the steps ourselves in two workflows, one which produces the size artifact, and the other which reads the artifact has the permissions to write the message back to the original PR (which is in a third party repo)

* The annotate action also needed pull-requests: write permission (fixes failing run 'ESLint Annotation')

* ci(bundle-size): extract bundle size scripts and simplify workflow

- Add `.github/scripts/measure-bundle-sizes.js` and
  `render-bundle-size-comment.js` to replace inline node scripts
  embedded in workflow YAML, improving readability and reusability
- Refactor `eslint-check.yml` to use the new script files and fix
  checkout steps to handle both PR and non-PR triggers correctly
- Refactor `pr-checks-privileged.yml` to replace the large
  `github-script` block with `render-bundle-size-comment.js` and
  the `marocchino/sticky-pull-request-comment` action; remove the
  now-unnecessary `pr_number.txt` artifact by reading the PR number
  directly from the workflow_run event
- Pin `ataylorme/eslint-annotate-action` to a specific commit SHA
- Add `actions: read` permission where needed for artifact downloads

* ci: add fork PR support and harden workflow

- Look up PR number via API when workflow_run.pull_requests is empty
  (GitHub leaves it empty for fork PRs), falling back gracefully
- Use head SHA instead of branch name for PR checkout to avoid TOCTOU
- Fix formatSignedSize to produce +0 instead of -0 for zero values
- Gate comment steps on successful PR number lookup

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Eoghan Murray <eoghan@getthere.ie>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: 3 people

.github/scripts/measure-bundle-sizes.js

@@ -0,0 +1,52 @@
+const fs = require('fs');
+const path = require('path');
+
+const outputPath = process.argv[2];
+
+if (!outputPath) {
+  console.error(
+    'Usage: node .github/scripts/measure-bundle-sizes.js <output-path>',
+  );
+  process.exit(1);
+}
+
+const rootDir = process.cwd();
+const sizes = {};
+
+function normalizePath(filePath) {
+  return path.relative(rootDir, filePath).replace(/\\/g, '/');
+}
+
+function shouldTrack(filePath) {
+  const normalizedPath = normalizePath(filePath);
+
+  if (normalizedPath.startsWith('packages/packer/dist/')) {
+    return false;
+  }
+
+  return /(^|\/)dist\/[^/]+\.(js|cjs|mjs|css)$/.test(normalizedPath);
+}
+
+function walk(dirPath) {
+  for (const entry of fs.readdirSync(dirPath, { withFileTypes: true })) {
+    if (entry.name === 'node_modules') {
+      continue;
+    }
+
+    const entryPath = path.join(dirPath, entry.name);
+
+    if (entry.isDirectory()) {
+      walk(entryPath);
+      continue;
+    }
+
+    if (!shouldTrack(entryPath)) {
+      continue;
+    }
+
+    sizes[normalizePath(entryPath)] = fs.statSync(entryPath).size;
+  }
+}
+
+walk(rootDir);
+fs.writeFileSync(outputPath, `${JSON.stringify(sizes, null, 2)}\n`);

.github/scripts/render-bundle-size-comment.js

@@ -0,0 +1,155 @@
+const fs = require('fs');
+
+const prPath = process.argv[2];
+const basePath = process.argv[3];
+
+if (!prPath || !basePath) {
+  console.error(
+    'Usage: node .github/scripts/render-bundle-size-comment.js <pr-sizes.json> <base-sizes.json>',
+  );
+  process.exit(1);
+}
+
+function readJson(filePath) {
+  return JSON.parse(fs.readFileSync(filePath, 'utf8'));
+}
+
+function formatSize(bytes) {
+  if (bytes == null) {
+    return '-';
+  }
+
+  if (Math.abs(bytes) < 1024) {
+    return `${bytes} B`;
+  }
+
+  return `${(bytes / 1024).toFixed(2)} kB`;
+}
+
+function formatSignedSize(bytes) {
+  const absoluteBytes = Math.abs(bytes);
+
+  if (absoluteBytes < 1024) {
+    return `${bytes >= 0 ? '+' : '-'}${absoluteBytes} B`;
+  }
+
+  return `${bytes >= 0 ? '+' : '-'}${(absoluteBytes / 1024).toFixed(2)} kB`;
+}
+
+function formatDiff(diff, baseValue) {
+  if (diff === 0) {
+    return '-';
+  }
+
+  const percentage =
+    baseValue > 0
+      ? ` (${diff > 0 ? '+' : ''}${((diff / baseValue) * 100).toFixed(2)}%)`
+      : '';
+
+  return `${formatSignedSize(diff)}${percentage}`;
+}
+
+function getPackageName(filePath) {
+  const match = filePath.match(/^packages\/([^/]+)\//);
+  return match ? match[1] : '(root)';
+}
+
+function getFileLabel(filePath, packageName) {
+  const packagePrefix = `packages/${packageName}/dist/`;
+
+  if (packageName !== '(root)' && filePath.startsWith(packagePrefix)) {
+    return filePath.slice(packagePrefix.length);
+  }
+
+  return filePath;
+}
+
+const prSizes = readJson(prPath);
+const baseSizes = readJson(basePath);
+
+const allFiles = [
+  ...new Set([...Object.keys(prSizes), ...Object.keys(baseSizes)]),
+].sort();
+const changedFiles = allFiles.filter(
+  (filePath) => prSizes[filePath] !== baseSizes[filePath],
+);
+
+if (changedFiles.length === 0) {
+  process.stdout.write('## Bundle Size Changes\n\nNo bundle size changes.\n');
+  process.exit(0);
+}
+
+const totalPrSize = allFiles.reduce(
+  (sum, filePath) => sum + (prSizes[filePath] ?? 0),
+  0,
+);
+const totalBaseSize = allFiles.reduce(
+  (sum, filePath) => sum + (baseSizes[filePath] ?? 0),
+  0,
+);
+const totalDiff = totalPrSize - totalBaseSize;
+
+const filesByPackage = new Map();
+
+for (const filePath of changedFiles) {
+  const packageName = getPackageName(filePath);
+  const files = filesByPackage.get(packageName) ?? [];
+  files.push(filePath);
+  filesByPackage.set(packageName, files);
+}
+
+const sections = [...filesByPackage.entries()]
+  .sort(([left], [right]) => left.localeCompare(right))
+  .map(([packageName, files]) => {
+    const packagePrSize = files.reduce(
+      (sum, filePath) => sum + (prSizes[filePath] ?? 0),
+      0,
+    );
+    const packageBaseSize = files.reduce(
+      (sum, filePath) => sum + (baseSizes[filePath] ?? 0),
+      0,
+    );
+    const packageDiff = packagePrSize - packageBaseSize;
+
+    const rows = files
+      .map((filePath) => {
+        const fileDiff = (prSizes[filePath] ?? 0) - (baseSizes[filePath] ?? 0);
+        return `| \`${getFileLabel(filePath, packageName)}\` | ${formatSize(
+          baseSizes[filePath],
+        )} | ${formatSize(prSizes[filePath])} | ${formatDiff(
+          fileDiff,
+          baseSizes[filePath] ?? 0,
+        )} |`;
+      })
+      .join('\n');
+
+    return [
+      '<details>',
+      `<summary>\`${packageName}\` - ${formatSize(
+        packageBaseSize,
+      )} -> ${formatSize(packagePrSize)} (${formatDiff(
+        packageDiff,
+        packageBaseSize,
+      )})</summary>`,
+      '',
+      '| File | Base | PR | Diff |',
+      '|------|------|----|------|',
+      rows,
+      '',
+      '</details>',
+    ].join('\n');
+  });
+
+const body = [
+  '## Bundle Size Changes',
+  '',
+  `**Size change:** ${formatDiff(
+    totalDiff,
+    totalBaseSize,
+  )} | **Total size:** ${formatSize(totalPrSize)}`,
+  '',
+  sections.join('\n\n'),
+  '',
+].join('\n');
+
+process.stdout.write(body);

.github/workflows/eslint-check.yml

@@ -2,7 +2,7 @@ name: ESLint Check
 
 on:
   push:
-  pull_request_target:
+  pull_request:
 
 jobs:
   eslint_check_upload:
@@ -12,10 +12,15 @@ jobs:
     name: ESLint Check and Report Upload
 
     steps:
-      - uses: actions/checkout@v4
+      - name: Checkout pull request head
+        if: github.event_name == 'pull_request'
+        uses: actions/checkout@v4
         with:
           repository: ${{ github.event.pull_request.head.repo.full_name }}
-          ref: ${{ github.head_ref }}
+          ref: ${{ github.event.pull_request.head.sha }}
+      - name: Checkout current branch
+        if: github.event_name != 'pull_request'
+        uses: actions/checkout@v4
       - name: Setup Node
         uses: actions/setup-node@v3
         with:
@@ -38,49 +43,60 @@ jobs:
         with:
           name: eslint_report.json
           path: eslint_report.json
-
-  annotation:
-    # Skip the annotation action in push events
-    if: github.event_name == 'pull_request_target'
-    permissions:
-      checks: write
-    needs: eslint_check_upload
-    runs-on: ubuntu-latest
-    name: ESLint Annotation
-    steps:
-      - uses: actions/download-artifact@v4
-        with:
-          name: eslint_report.json
-      - name: Annotate Code Linting Results
-        uses: ataylorme/eslint-annotate-action@v2
+      - name: Measure PR bundle sizes
+        if: github.event_name == 'pull_request'
+        run: node .github/scripts/measure-bundle-sizes.js pr-sizes.json
+      - name: Upload PR bundle sizes
+        if: github.event_name == 'pull_request'
+        uses: actions/upload-artifact@v4
         with:
-          repo-token: '${{ secrets.GITHUB_TOKEN }}'
-          report-json: 'eslint_report.json'
+          name: pr-sizes
+          path: pr-sizes.json
 
-  bundle_size:
-    # Only runs on PRs (needs a base branch to compare against)
-    if: github.event_name == 'pull_request_target'
+  bundle_size_build:
+    # Only runs on PRs. Reuses the PR build from eslint_check_upload (via the
+    # pr-sizes artifact) and only builds the base branch itself. The privileged
+    # bundle-size-comment workflow then posts the PR comment without ever
+    # executing fork code.
+    if: github.event_name == 'pull_request'
+    needs: eslint_check_upload
     runs-on: ubuntu-latest
     permissions:
+      actions: read
       contents: read
-      pull-requests: write
-    name: Check Bundle Sizes
+    name: Build Base for Bundle Size Comparison
     steps:
+      - name: Checkout workflow ref
+        uses: actions/checkout@v4
+      - name: Prepare bundle size helper
+        run: |
+          cp .github/scripts/measure-bundle-sizes.js /tmp/measure-bundle-sizes.js
+      # --- Base branch ---
       - uses: actions/checkout@v4
         with:
-          repository: ${{ github.event.pull_request.head.repo.full_name }}
-          ref: ${{ github.head_ref }}
-      - name: Setup Node
-        uses: actions/setup-node@v3
+          ref: ${{ github.base_ref }}
+      - name: Download PR bundle sizes
+        uses: actions/download-artifact@v4
+        with:
+          name: pr-sizes
+      - uses: actions/setup-node@v3
         with:
           node-version: lts/*
           cache: 'yarn'
-      - name: Check bundle sizes
-        uses: preactjs/compressed-size-action@v2
-        with:
-          install-script: 'yarn install --frozen-lockfile'
-          build-script: 'build:all'
-          compression: 'none'
-          pattern: '**/dist/*.{js,cjs,mjs,css}'
+      - name: Install base dependencies
+        run: yarn install --frozen-lockfile
         env:
           PUPPETEER_SKIP_DOWNLOAD: true
+      - name: Build base branch
+        run: NODE_OPTIONS='--max-old-space-size=4096' yarn build:all
+        env:
+          PUPPETEER_SKIP_DOWNLOAD: true
+      - name: Measure base bundle sizes
+        run: node /tmp/measure-bundle-sizes.js base-sizes.json
+
+      - uses: actions/upload-artifact@v4
+        with:
+          name: bundle-size-data
+          path: |
+            pr-sizes.json
+            base-sizes.json