Skip to content

Address Benjie's review feedback#56

Merged
magicmark merged 3 commits into
magicmark-patch-6from
fix/benjie-review-feedback
Jul 14, 2026
Merged

Address Benjie's review feedback#56
magicmark merged 3 commits into
magicmark-patch-6from
fix/benjie-review-feedback

Conversation

@magicmark

@magicmark magicmark commented Jun 25, 2026

Copy link
Copy Markdown
Contributor

Addresses the review comments from benjie on #40:

  1. ref: main on checkout step — makes it explicit we're pulling trusted config from main, not from the PR branch
  2. Commit hash in deploy message — adds (${{ github.event.workflow_run.head_sha }}) for traceability
  3. Extract inline JS — moves the hide-old-comments logic to .github/scripts/hide-old-deploy-comments.mjs (also adds .github/scripts to sparse-checkout so it's available at runtime)
  4. Security: outside bounds zip extraction — documents that actions/download-artifact handles extraction safely
  5. Security: static-only wrangler — documents that wrangler is configured for static asset serving only

All changes verified end-to-end on magicmark/gaps-website-test-1 with both fork and non-fork PRs deploying successfully to Cloudflare Workers.

- Add explicit ref: main to checkout step (prevents config poisoning)
- Include commit hash in wrangler deploy message for traceability
- Extract hide-old-comments logic to .github/scripts/hide-old-deploy-comments.mjs
- Add .github/scripts to sparse-checkout so the extracted script is available
- Add security comments documenting zip-slip safety and static-only wrangler model
@cloudflare-workers-and-pages

cloudflare-workers-and-pages Bot commented Jun 25, 2026

Copy link
Copy Markdown

Deploying with  Cloudflare Workers  Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status Name Latest Commit Preview URL Updated (UTC)
✅ Deployment successful!
View logs
gaps e680187 Commit Preview URL

Branch Preview URL
Jul 14 2026, 06:30 AM

@magicmark magicmark marked this pull request as draft June 25, 2026 05:35

@benjie benjie left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice! 🙌

Comment thread .github/scripts/hide-old-deploy-comments.mjs Outdated
Comment thread .github/scripts/hide-old-deploy-comments.mjs Outdated
Comment thread .github/workflows/preview-deploy.yml Outdated
apiToken: ${{ secrets.CLOUDFLARE_API_TOKEN }}
accountId: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
command: versions upload --preview-alias "pr-${{ steps.pr.outputs.number }}" --message "PR #${{ steps.pr.outputs.number }} preview"
command: versions upload --preview-alias "pr-${{ steps.pr.outputs.number }}" --message "PR #${{ steps.pr.outputs.number }} preview (${{ github.event.workflow_run.head_sha }})"

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does wranger versions upload do a pure upload, or might it read any configuration/run any scripts/be influenced by any content from within _site?

@magicmark magicmark Jul 14, 2026

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My claude is very confident this is safe:


For an assets-only config (no main), wrangler versions upload --no-bundle does not execute anything from _site.

  1. Config — Wrangler resolves config (wrangler.jsonc) by starting from the current working directory and walking upward; it does not search downward into _site.
  2. Entry — because the config has assets and no main, getEntry() takes the assets branch and resolves the Worker entry to Wrangler’s own internal templates/no-op-worker.js, not anything
    from _site.
  3. Custom buildskipped here because the config has no build.command.
  4. Bundling--no-bundle skips esbuild/bundling; Wrangler just packages/copies the internal no-op Worker entry.
  5. Asset upload — uploads files from _site as static assets to Cloudflare's CDN

So no, code from _site is not executed by Wrangler. The files in _site are used only as static asset content for the upload.

Relevant source: resolveEntryWithAssets() returns the internal no-op template when config has assets but no main, and getEntry() hits the args.assets || config.assets branch.


...and I had codex confirm it too:


Confirmed: the security substance is right. For an assets-only Wrangler config with no main and no build.command, _site is read as asset content, not as config, an entrypoint, or executable build input. getEntry() reaches the args.assets || config.assets branch, resolveEntryWithAssets() resolves the Worker entry to Wrangler’s internal templates/no-op-worker.js, runCustomBuild() only runs a command when build.command exists, and --no-bundle takes the no-bundle path instead of bundleWorker()/esbuild.


this isn't explicitly clarified in docs that i can find, so without fully auditing and pentesting I can't be 100% sure, but this passes the smell test to me. wdyt?

magicmark and others added 2 commits July 14, 2026 01:11
- Use github.paginate to find deploy-preview comments beyond the
  first 30 results
- Filter by github-actions[bot] author to avoid hiding human comments
  that quote the deploy-preview marker

Co-Authored-By: Claude <noreply@anthropic.com>
The assets-only config already resolves to wrangler's internal no-op
template, so bundling is unnecessary. Skipping it removes any ambiguity
about whether esbuild could be influenced by _site contents.

Co-Authored-By: Claude <noreply@anthropic.com>
@magicmark magicmark marked this pull request as ready for review July 14, 2026 06:50
@magicmark magicmark merged commit 17b1a4f into magicmark-patch-6 Jul 14, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants