Feat: Allow repo specific dangerfile. #129
Conversation
|
@vaind What do you think of this feature? |
|
Q: Should I target V3? |
Hey, haven't had a chance to look yet but makes sense in general. |
|
sorry for the extra tests I added (they got reverted), I wasn't sure why danger for changelogs wasn't triggering, turned out there are new filters that it skips the changelog check based on the title description that didn't happen on V2. |
![seer-by-sentry[bot]](https://avatars.githubusercontent.com/in/801464?s=60&v=4){kind=small}
|
Testesd the following cases here: Run with extra-dangerfile and extra-install-packages Run with extra-dangerfile and malicious shell script Run with no extra parameters Run with extra-dangerfile, extra-install-packages and a valid diff check for extra-dangerfile |
|
@vaind I added the following steps:
|
lucas-zimerman
force-pushed
the
lz/ext-danger
branch
from
b45617b to
aac9829
Compare
|
@sentry review |
Co-authored-by: Ivan Dlugos <6349682+vaind@users.noreply.github.com>
Co-authored-by: seer-by-sentry[bot] <157164994+seer-by-sentry[bot]@users.noreply.github.com>
Co-authored-by: seer-by-sentry[bot] <157164994+seer-by-sentry[bot]@users.noreply.github.com>
|
@sentry review |
danger/action.yml
Outdated
| --workdir /github/workspace \ | ||
| --user $(id -u) \ | ||
| -e "INPUT_ARGS" -e "GITHUB_JOB" -e "GITHUB_REF" -e "GITHUB_SHA" -e "GITHUB_REPOSITORY" -e "GITHUB_REPOSITORY_OWNER" -e "GITHUB_RUN_ID" -e "GITHUB_RUN_NUMBER" -e "GITHUB_RETENTION_DAYS" -e "GITHUB_RUN_ATTEMPT" -e "GITHUB_ACTOR" -e "GITHUB_TRIGGERING_ACTOR" -e "GITHUB_WORKFLOW" -e "GITHUB_HEAD_REF" -e "GITHUB_BASE_REF" -e "GITHUB_EVENT_NAME" -e "GITHUB_SERVER_URL" -e "GITHUB_API_URL" -e "GITHUB_GRAPHQL_URL" -e "GITHUB_REF_NAME" -e "GITHUB_REF_PROTECTED" -e "GITHUB_REF_TYPE" -e "GITHUB_WORKSPACE" -e "GITHUB_ACTION" -e "GITHUB_EVENT_PATH" -e "GITHUB_ACTION_REPOSITORY" -e "GITHUB_ACTION_REF" -e "GITHUB_PATH" -e "GITHUB_ENV" -e "GITHUB_STEP_SUMMARY" -e "RUNNER_OS" -e "RUNNER_ARCH" -e "RUNNER_NAME" -e "RUNNER_TOOL_CACHE" -e "RUNNER_TEMP" -e "RUNNER_WORKSPACE" -e "ACTIONS_RUNTIME_URL" -e "ACTIONS_RUNTIME_TOKEN" -e "ACTIONS_CACHE_URL" -e GITHUB_ACTIONS=true -e CI=true \ | ||
| -e GITHUB_TOKEN="${{ inputs.api-token }}" \ |
There was a problem hiding this comment.
Security: Direct Input Interpolation
This line directly interpolates inputs.extra-dangerfile into the environment variable assignment. According to repository security patterns, user-controlled inputs should be assigned to job-level env variables first to prevent injection attacks.
Recommendation: Add a job-level env block and reference it as ${{ env.EXTRA_DANGERFILE }}.
Did we get this right? 👍 / 👎 to inform future reviews.
|
@vaind do you want me to apply the patches for the env suggestion? ( I don't see how it can make it safer but if you prefer I will apply it) |
|
@lucas-zimerman yes please. script inputs should always be coming through the env var to prevent injection |
lucas-zimerman
force-pushed
the
lz/ext-danger
branch
from
af33680 to
283729d
Compare
|
@vaind fixed the env var and also some nits |
vaind
left a comment
vaind
left a comment
There was a problem hiding this comment.
Minor changes but should be good to go. I assume you've tested this in your repo already?
Correct All the changes I have been testing here: getsentry/sentry-react-native#5235 
Dange Action: https://github.com/getsentry/sentry-react-native/actions/runs/18656204660/job/53185832158?pr=5235 |
Co-authored-by: Ivan Dlugos <6349682+vaind@users.noreply.github.com>
|
latest changes are working, tested on https://github.com/getsentry/sentry-react-native/actions/runs/18690191990/job/53293610166 |
lucas-zimerman
force-pushed
the
lz/ext-danger
branch
from
d0106b4 to
3b57951
Compare
…install-packages features Add test coverage for the new extra-dangerfile and extra-install-packages inputs: - Create test-dangerfile.js demonstrating custom Danger checks - Add extra-dangerfile-test job to verify custom dangerfiles execute correctly - Add extra-packages-test job to verify package installation works - Tests validate that custom dangerfiles can access the Danger API and installed packages 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
|
@lucas-zimerman I've made some minor adjustments, added integration tests and merged the changes. If I've accidentally broken something with your code, we can followup in another PR. |
I didn't notice this in the PR description - it's a feature and should have had a changelog |
|
Thank you for all the reviews! the changers are working great when I point to the latest commit hash from this repo. |
2 participants
Based on V2.
The PR allows the danger CI to also include
dangerfilesfrom the repo. This is good since only one github comment is allowed per repo, meaning that without this change, the danger used by the repo will overwrite the comment done by this repo.This change adds a new step, loading an external
dangerfileif set.It passes the default parameters as exposing the following items:
fail
The changes were tested on the following PR:
getsentry/sentry-react-native#5235 (comment)
How external libraries should be implemented
Here is a example file using the changes: https://github.com/getsentry/sentry-react-native/blob/3dcd68b8db138e90aff72d51e46f89a6b0b70b0c/scripts/check-replay-stubs.js
If there is approval on merging these changes on this repo, I will update the readme file with guides on how to use an external dangerfile
#skip-changelog