Skip to content

fix: Update style-check workflow to use latest version from upstream #259

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
billyvg merged 2 commits into from
Dec 19, 2025
Merged

fix: Update style-check workflow to use latest version from upstream #259

billyvg merged 2 commits into from
Dec 19, 2025

Conversation

@AaronDewes
Copy link

@AaronDewes AaronDewes commented Dec 18, 2025

This improves the security of the workflow. Alternative to #258.

@AaronDewes
fix: Update style-check workflow to use latest version from upstream …
7c38956 
…repo

This improves the security of the workflow. Alternative to getsentry#258.
@AaronDewes AaronDewes mentioned this pull request Dec 18, 2025
Closed
billyvg
billyvg reviewed Dec 18, 2025
View reviewed changes
@AaronDewes
Copy link
Author

AaronDewes commented Dec 18, 2025

@billyvg Just FYI: For this fix to be effective, it needs to be cherry-picked to every branch of this repository that contains the vulnerable workflow.

Alternatively, you can also delete the stale branches.

I think there is also an option that allows disabling any workflow named .github/workflows/style-check.yml through the GitHub settings (So you can simply rename the patched version on the main branch and don't have to interact with any other branches), but I'm not fully sure how this works.

sentry[bot]
sentry bot reviewed Dec 18, 2025
View reviewed changes
.github/workflows/style-check.yml
with:
GITHUB_TOKEN: '${{ secrets.GITHUB_TOKEN }}'
repo-token: '${{ secrets.GITHUB_TOKEN }}'
report-json: 'eslint_report.json'
Copy link

@sentry sentry bot Dec 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bug: The ataylorme/eslint-annotate-action is passed an incorrect repo-token parameter. The action expects GITHUB_TOKEN, which will cause authentication to fail.
Severity: HIGH | Confidence: High

🔍 Detailed Analysis

The ataylorme/eslint-annotate-action is configured to receive an authentication token via the repo-token parameter. However, an analysis of the action's definition, for both the previous and updated versions, confirms that it expects this token to be passed using the GITHUB_TOKEN parameter. Because the wrong parameter name is used, the action will not receive the necessary authentication token. This will cause the step to fail, preventing ESLint annotations from being posted to pull requests.

💡 Suggested Fix

In the .github/workflows/style-check.yml file, change the parameter name from repo-token back to GITHUB_TOKEN for the ataylorme/eslint-annotate-action step to ensure the authentication token is passed correctly.

🤖 Prompt for AI Agent 
Review the code at the location below. A potential bug has been identified by an AI
agent.
Verify if this is a real issue. If it is, propose a fix; if not, explain why it's not
valid.

Location: .github/workflows/style-check.yml#L56

Potential issue: The `ataylorme/eslint-annotate-action` is configured to receive an
authentication token via the `repo-token` parameter. However, an analysis of the
action's definition, for both the previous and updated versions, confirms that it
expects this token to be passed using the `GITHUB_TOKEN` parameter. Because the wrong
parameter name is used, the action will not receive the necessary authentication token.
This will cause the step to fail, preventing ESLint annotations from being posted to
pull requests.

Did we get this right? 👍 / 👎 to inform future reviews.
Reference ID: 7729258

Copy link
Author

@AaronDewes AaronDewes Dec 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

According to the docs, this is wrong: https://github.com/ataylorme/eslint-annotate-action/tree/v2?tab=readme-ov-file#inputs

@billyvg billyvg merged commit 4700e30 into getsentry:sentry-v2 Dec 19, 2025
11 checks passed
@AaronDewes AaronDewes mentioned this pull request Dec 19, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sentry sentry[bot] sentry[bot] left review comments

@billyvg billyvg billyvg approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@AaronDewes @billyvg