From c2d28b932a73c8ca3e37a55902a9cb4f51859e8b Mon Sep 17 00:00:00 2001 From: Greyson LaLonde Date: Wed, 17 Jun 2026 16:53:02 -0700 Subject: [PATCH] ci: scope job permissions and use immutable base sha --- .github/workflows/pr-size.yml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/.github/workflows/pr-size.yml b/.github/workflows/pr-size.yml index a3310247c..beb186051 100644 --- a/.github/workflows/pr-size.yml +++ b/.github/workflows/pr-size.yml @@ -33,6 +33,8 @@ jobs: python-diff-size: runs-on: ubuntu-latest + permissions: + contents: read steps: - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: @@ -40,14 +42,14 @@ jobs: - name: Enforce Python diff size limit env: MAX: "1500" + BASE_SHA: ${{ github.event.pull_request.base.sha }} run: | - base="origin/${{ github.base_ref }}" # Sum added + deleted lines across changed .py files; skip binaries ("-"). - total=$(git diff --numstat "$base...HEAD" -- '*.py' \ + total=$(git diff --numstat "$BASE_SHA...HEAD" -- '*.py' \ | awk '$1 != "-" && $2 != "-" { sum += $1 + $2 } END { print sum + 0 }') echo "Python churn: $total lines (limit $MAX)" if [ "$total" -gt "$MAX" ]; then echo "::error::Python changes total $total lines, over the $MAX-line limit. Split into smaller PRs." - git diff --numstat "$base...HEAD" -- '*.py' | sort -rn + git diff --numstat "$BASE_SHA...HEAD" -- '*.py' | sort -rn exit 1 fi \ No newline at end of file