Skip to content

ci: Remove unused benchmark workflow. #58760

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
AdnaneKhan wants to merge 1 commit into from
Closed

ci: Remove unused benchmark workflow. #58760

AdnaneKhan wants to merge 1 commit into from

Conversation

@AdnaneKhan
Copy link

@AdnaneKhan AdnaneKhan commented Nov 19, 2024

PR Checklist

Please check if your PR fulfills the following requirements:

PR Type

What kind of change does this PR introduce?

  • Bugfix
  • Feature
  • Code style update (formatting, local variables)
  • Refactoring (no functional changes, no api changes)
  • Build related changes
  • CI related changes
  • Documentation content changes
  • angular.dev application / infrastructure changes
  • Other... Please describe:

What is the current behavior?

The benchmark-compare.yml workflow hasn't been used in over a year, it also contains a TOCTOU issue that external contributors could exploit if maintainers did decide to start using it.

Issue Number: N/A

What is the new behavior?

Remove the workflow because it is not used.

Does this PR introduce a breaking change?

  • Yes
  • No

Other information

@google-cla
Copy link

google-cla bot commented Nov 19, 2024

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

@pullapprove pullapprove bot requested a review from devversion November 19, 2024 22:40
@angular-robot angular-robot bot added the area: build & ci Related the build and CI infrastructure of the project label Nov 19, 2024
@ngbot ngbot bot added this to the Backlog milestone Nov 19, 2024
devversion
devversion reviewed Nov 20, 2024
View reviewed changes
Copy link
Member

@devversion devversion left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I haven't refreshed my mind on the "potential security issue", but from my quick look— I think we only check out the fork PR at the given comment time; which is assumed to verified/checked by the team member at comment time.

On the other hand, I'm not super opposed to deleting this, but if so, we should also delete the logic in yarn benchmark prepare-for-github-action

@AdnaneKhan
Copy link
Author

AdnaneKhan commented Nov 20, 2024

I haven't refreshed my mind on the "potential security issue", but from my quick look— I think we only check out the fork PR at the given comment time; which is assumed to verified/checked by the team member at comment time.

On the other hand, I'm not super opposed to deleting this, but if so, we should also delete the logic in yarn benchmark prepare-for-github-action

The problem is subtle, but it lies here:

      - uses: alessbell/pull-request-comment-branch@aad01d65d6982b8eacabed5e9a684cd8ceb98da6 # v1.1
        id: comment-branch

      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          # Specify repository as the PR branch might be from a fork.
          repository: ${{steps.comment-branch.outputs.head_owner}}/${{steps.comment-branch.outputs.head_repo}}
          # Checkout the pull request and assume it being trusted given we've checked
          # that the action was triggered by a team member.
          ref: ${{steps.comment-branch.outputs.head_ref}}

Essentially there is a race condition due to the multi-second delay between when the trusted user creates the comment and the benchmark workflow starts running. As a result, the workflow will check out the latest code from whatever the PR head branch is of the fork repo.

Now, realistically this will not get exploited (which is why I am simply making a PR to remove the workflow) because the workflow has hasn't been used in over a year. I'll update my PR to remove the associated benchmark logic.

@JeanMeche
Copy link
Member

JeanMeche commented Mar 4, 2025

Can you please rebase your PR ?

@JeanMeche JeanMeche added the action: cleanup The PR is in need of cleanup, either due to needing a rebase or in response to comments from reviews label Mar 4, 2025
@thePunderWoman
Copy link
Contributor

thePunderWoman commented Mar 31, 2025

Seeing no activity on this PR, I'm going to close it. Feel free to open a new PR if you'd like to land this change.

@angular-automatic-lock-bot
Copy link

angular-automatic-lock-bot bot commented May 1, 2025

This issue has been automatically locked due to inactivity.
Please file a new issue if you are encountering a similar or related problem.

Read more about our automatic conversation locking policy.

This action has been performed automatically by a bot.

@angular-automatic-lock-bot angular-automatic-lock-bot bot locked and limited conversation to collaborators May 1, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@devversion devversion devversion left review comments

Assignees

No one assigned

Labels

action: cleanup The PR is in need of cleanup, either due to needing a rebase or in response to comments from reviews area: build & ci Related the build and CI infrastructure of the project

Projects

None yet

Milestone

Backlog

Development

Successfully merging this pull request may close these issues.

4 participants

@AdnaneKhan @JeanMeche @thePunderWoman @devversion