build(workflows): fetch update_pr_copyright_years script from base repo#13331
build(workflows): fetch update_pr_copyright_years script from base repo#13331Planeshifter wants to merge 1 commit into
Conversation
The `update_pr_copyright_years.yml` reusable workflow (invoked by
`/stdlib update-copyright-years` in slash_commands.yml and by the
`bot: Update Copyright Years` label in label_commands.yml) failed
repeatedly with:
.github/workflows/scripts/update_pr_copyright_years/run: No such
file or directory
Root cause: the "Checkout repository" step checks out the PR's own
branch/repo (potentially an old or forked branch) into
$GITHUB_WORKSPACE, then the next step sources the tooling script from
that same untrusted checkout. If the PR branch predates the script's
addition to develop, or is a stale fork, the script simply isn't
present there.
This commit fetches the script from the base repository at
`${{ github.sha }}` (always the workflow's own commit, never the PR's)
into a temp file and executes it, instead of trusting the checked-out
PR branch for internal CI tooling.
Ref: https://github.com/stdlib-js/stdlib/actions/runs/28750106733
|
Flagging proactively since I found this while checking the other PRs from today's run for duplicates: #12742 (open since 2026-06-10) also fixes this exact workflow — via a broader approach (a sparse trusted checkout of the base repo into Generated by Claude Code |
Description
This pull request:
.github/workflows/update_pr_copyright_years.yml, a reusable workflow invoked by/stdlib update-copyright-years(slash_commands.yml) and by thebot: Update Copyright Yearslabel (label_commands.yml). The workflow's "Checkout repository" step checks out the PR's own branch/repository (from GitHub API PR details) into$GITHUB_WORKSPACE, and the following step then sourced the copyright-years tooling script from that same checkout:. "$GITHUB_WORKSPACE/.github/workflows/scripts/update_pr_copyright_years/run". If the PR's branch predates that script's addition todevelop, or is a stale/unrebased fork, the script isn't present there, and the step fails withNo such file or directory. This has failed repeatedly and recurringly across unrelated PRs (three times on 2026-07-05 alone, plus bursts on 2026-06-26 and 2026-06-17). The fix fetches the script from the base repository at${{ github.sha }}(the workflow's own commit, never the PR's, and not attacker-influenced the way the PR checkout is) into a temp file and executes it, instead of trusting the checked-out PR branch for internal CI tooling.Related Issues
None.
Questions
No.
Other
Found and fixed as part of automated CI-failure triage. Example failing run: https://github.com/stdlib-js/stdlib/actions/runs/28750106733 (job:
Update Copyright Years, viaslash_commands.yml).Validated by simulating the fixed step outside any repository checkout (
curlthe script from adevelopSHA into/tmp,chmod +x, run it against a test file) and confirming the copyright year updates correctly with no "No such file" error. Reviewed by three independent passes (correctness, regression scope, style/conventions); all approved with no blocking findings. Reviewer B noted the reusable workflow has two callers (slash_commands.ymlandlabel_commands.yml, not just the former) — both hit the identical failure mode and both benefit from this fix.Checklist
AI Assistance
If you answered "yes" above, how did you use AI assistance?
Disclosure
This PR was written primarily by Claude Code as part of an automated CI-failure triage and fix routine, based on live GitHub Actions job log analysis. The fix was reviewed by three independent automated review passes before being proposed here.
@stdlib-js/reviewers
Generated by Claude Code