[MOSIP-44260] Update xlsx-to-csv.yml#408
Conversation
Signed-off-by: Abhishek S <127825992+abhishek8shankar@users.noreply.github.com>
WalkthroughThe workflow now detects XLSX file changes via GitHub API before running conversion steps. Repository cloning, setup, dependency installation, CSV conversion, and commit/push operations are all conditionally executed only when ChangesXLSX Change Detection and Conditional Execution
Estimated code review effort🎯 2 (Simple) | ⏱️ ~8 minutes
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 inconclusive)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 3
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/xlsx-to-csv.yml:
- Around line 23-24: The current FILES fetch only reads the default first page
of the PR files API, so XLSX_CHANGED can be zero for large PRs; update the logic
that sets FILES and XLSX_CHANGED to paginate through the GitHub PR files
endpoint (use per_page=100 and loop over page=1..N until an empty page) and
concatenate/append results into FILES before running the jq count; ensure the
same curl/authorization usage is applied per page and then compute XLSX_CHANGED
from the aggregated FILES array.
- Around line 17-25: The check_xlsx step (id: check_xlsx) assumes a PR payload
by unconditionally using github.event.number and calling the PR files API;
update this step to be event-aware: first detect event via github.event_name (or
check github.event.pull_request) and only set PR_NUMBER and call the GitHub PR
files API when the event is a pull_request; for non-PR runs (workflow_dispatch)
set XLSX_CHANGED to 0 (or skip the curl call) so downstream steps that use the
xlsx_changed output and any PR-derived variables won't break; apply the same
event-aware guard to the other places you reference PR fields (the other
occurrences noted) so they either short-circuit or emit safe defaults when no PR
exists.
- Around line 20-23: The workflow is expanding attacker-controlled
github.event.* values (e.g., the inline PR_NUMBER and FILES curl invocation)
directly inside a run step under pull_request_target, which can exfiltrate
secrets; change the flow so you do not interpolate github.event.pull_request.*
into shell commands: instead add a separate, safe step that reads the event
payload via actions/github-script (octokit) or by parsing GITHUB_EVENT_PATH with
jq to extract and validate the PR number (and any other pull_request fields),
set those as step outputs or sanitized env vars, and then use those outputs (not
raw github.event expressions) in the subsequent run/curl step (or perform the
API call with octokit directly) to eliminate direct untrusted expansion in the
shell; update usages of PR_NUMBER, FILES, and the curl call accordingly and
remove any direct ${ { github.event.* } } interpolations in run steps when using
pull_request_target.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 7a7ba7c0-90a7-4000-bc59-603ebe01060e
📒 Files selected for processing (1)
.github/workflows/xlsx-to-csv.yml
Summary by CodeRabbit