[r3.4] ci(docs): mirror update-disk-sizes lint/security hardening from main#21271
Merged
bloxster merged 1 commit intoMay 19, 2026
Merged
Conversation
Brings release/3.4's copy of update-disk-sizes.yml in line with the copy on main (PR #21100), which received several iterations of Copilot review and a recent zizmor-driven security pass: - Use GITHUB_OUTPUT (not GITHUB_ENV) for prune_mode / source_run_id / base_branch propagation, avoiding zizmor's github-env rule. - Validate workflow_dispatch inputs (numeric run_id, allowed-char base_branch, full|minimal prune_mode) before writing them anywhere. - Pass values to downstream shell steps via per-step env: blocks rather than template substitution (no template-injection findings). - Add a "Verify artifacts are present" step that fails fast if the download yielded no artifacts. - Bump actions/download-artifact v7 -> v8 and actions/setup-python v5 -> v6 to match the rest of the repo. - Set persist-credentials: true explicitly on checkout (the later git push needs them). - zizmor: ignore[dangerous-triggers] on workflow_run with justification (no checkout of the triggering run's head; BASE_BRANCH pinned to release/3.4 for workflow_run events). The branches: filter intentionally still only lists release/3.* — this copy is for QA runs on the release branch; the main copy listens for default-branch runs. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
mriccobene
approved these changes
May 19, 2026
3 tasks
Sahil-4555
pushed a commit
to Sahil-4555/erigon
that referenced
this pull request
May 19, 2026
…es (erigontech#21100) ## Context The `update-disk-sizes.yml` workflow uses a `workflow_run` trigger. GitHub evaluates `workflow_run` events against the workflow file on the **default branch** (`main`). Without this file on `main`, successful sync runs on `release/3.*` would not invoke the collector workflow added by erigontech#21030. This PR adds the file to `main` so the trigger fires, then iterates on hardening to keep this copy aligned with the release-branch copy. ## What this PR does Adds `.github/workflows/update-disk-sizes.yml` to `main`. Behavior is functionally identical to erigontech#21030's copy on `release/3.4`; the differences below are pure hardening / lint cleanup, mostly driven by Copilot review and a zizmor security pass. ### Trigger scope - `workflow_run` listens for `release/3.*` runs of the QA sync workflows, **plus** `main` for the scheduled QA runs (so they also feed the collector). - The release-branch copy intentionally stays narrower (`release/3.*` only). The single-line difference between the two files after both land. ### Input safety - **`workflow_dispatch` inputs validated** before any value is propagated downstream: numeric `run_id`, allowed-char `base_branch`, `full|minimal` `prune_mode`. Anything else exits non-zero. - **`GITHUB_OUTPUT`** used instead of `GITHUB_ENV` for `prune_mode` / `source_run_id` / `base_branch` propagation. Step outputs are not environment variables, so zizmor's `github-env` rule doesn't fire on potential code execution paths. - **Per-step `env:` blocks** instead of template substitution into shell scripts — no template-injection findings. ### Robustness - **"Verify artifacts are present"** step that fails fast if the download yielded an empty directory (instead of silently producing an empty JSON update). - **`persist-credentials: true`** explicit on the checkout (the later `git push` needs them). - **Quoted branch variables** throughout the push / PR-lookup paths. - **`set -euo pipefail`** on multi-line shell blocks. - **Normal `git push`** instead of `git push --force` for the auto-update branch. ### Tooling and review - **Action bumps**: `actions/download-artifact@v7 → @v8`, `actions/setup-python@v5 → @v6`, aligning with the rest of the repo. - **`# zizmor: ignore[dangerous-triggers]`** on the `workflow_run` trigger with justification — this workflow never checks out the triggering run's head, and `BASE_BRANCH` is pinned per-event (not derived from untrusted input). - Addressed all Copilot review threads across the iteration cycle (`690c6927` — `download-artifact@v8`, env-based handling for `workflow_dispatch` inputs, `workflow_run.branches` includes `main`). ## Test plan - [x] CI passes on this PR - [x] No functional change vs. the existing `release/3.4` copy beyond the `branches:` filter widening - [ ] After this and erigontech#21271 both merge: diff the two files — single-line difference on `branches:` only Related: erigontech#21030, erigontech#21271 --------- Co-authored-by: Gianni Morselli <gianni.morselli@erigon.tech> Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: Bloxster <bloxster@proton.me> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2 tasks
pull Bot
pushed a commit
to Dustin4444/erigon
that referenced
this pull request
May 20, 2026
…21278) ## Summary Addresses [lystopad's review comment](erigontech#21100 (comment)) on erigontech#21100, which merged before it could be addressed. The `Configure git` step in `update-disk-sizes.yml` was using the generic `github-actions[bot]` author. Lystopad's feedback: > Please, use another name here which would clearly points to this workflow. For example something like: > ``` > git config user.name "github-workflow-update-disk-sizes-run-${RUN_ID}" > ``` > Otherwise it would be hard to understand source of the change in target repo. ## What changed `.github/workflows/update-disk-sizes.yml` — `Configure git` step: ```diff - name: Configure git if: steps.diff.outputs.changed == 'true' + env: + RUN_ID: ${{ github.run_id }} run: | set -euo pipefail - git config user.name "github-actions[bot]" + git config user.name "github-workflow-update-disk-sizes-run-${RUN_ID}" git config user.email "github-actions[bot]@users.noreply.github.com" ``` - **Name change**: `github-actions[bot]` → `github-workflow-update-disk-sizes-run-<run-id>`. The auto-update commit now names the specific workflow and the exact run, so anyone investigating the commit in the target repo can jump straight to the run that produced it. - **`RUN_ID` propagated via `env:` block**, consistent with the rest of the workflow's anti-template-injection pattern (no template substitution into shell). - **`user.email` unchanged** — `github-actions[bot]@users.noreply.github.com` still keeps the commit attributed to the bot. Lystopad's suggestion only addressed `user.name`. ## Test plan - [x] YAML syntax check (`yamllint`-style by visual inspection — single `env:` insertion) - [ ] First `update-disk-sizes` workflow run after merge: confirm the produced `chore(docs): auto-update measured disk sizes` commit has author `github-workflow-update-disk-sizes-run-<id>` (where `<id>` matches the workflow run ID linked from the commit annotation) Related: erigontech#21100, erigontech#21271 Co-authored-by: Bloxster <bloxster@proton.me> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Brings the
release/3.4copy of.github/workflows/update-disk-sizes.ymlin line with themaincopy (PR #21100), which received several iterations of Copilot review plus a recent zizmor-driven security pass.Net behavior is identical — the changes are all internal hardening / lint cleanup.
What changed
GITHUB_OUTPUTinstead ofGITHUB_ENVforprune_mode/source_run_id/base_branchpropagation. Step outputs aren't environment variables, so zizmor'sgithub-envrule doesn't fire.workflow_dispatchinputs (numericrun_id, allowed-charbase_branch,full|minimalprune_mode) before any value is written downstream.env:blocks instead of template substitution into shell scripts — no template-injection findings.actions/download-artifact@v7 → @v8,actions/setup-python@v5 → @v6, aligning with the rest of the repo.persist-credentials: trueexplicit on the checkout (the latergit pushneeds them).# zizmor: ignore[dangerous-triggers]on theworkflow_runtrigger with justification — this workflow never checks out the triggering run's head;BASE_BRANCHis always pinned torelease/3.4forworkflow_runevents.What did not change
branches:filter still lists onlyrelease/3.*. Themaincopy lists bothmainandrelease/3.*because it exists specifically to fire for default-branch QA runs; the release-branch copy intentionally stays narrower.Why now
Zizmor was added to
main's lint workflow in #21127 (merged 2026-05-13, ~9h after #21030 merged here). The release/3.4 copy is fine under release/3.4's current lint config — but if/when zizmor gets backported, the existing file would fail the same checks that #21100 just fixed onmain. This keeps the two copies aligned ahead of that.Test plan
branches:filter unchanged, same trigger, same outputsmain's copy after this and [main] ci: add update-disk-sizes workflow so workflow_run trigger fires #21100 both merge: single-line difference on thebranches:filter only🤖 Generated with Claude Code