Skip to content

Fix diff-js-api-changes to compare PR head vs merge base #55245

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
emily8rown wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Fix diff-js-api-changes to compare PR head vs merge base #55245

emily8rown wants to merge 1 commit into from

Conversation

@emily8rown
Copy link
Contributor

@emily8rown emily8rown commented Jan 20, 2026

Summary:
[INTERNAL] [FIXED] - Fix diff-js-api-changes workflow to correctly compare PR head vs merge base

The diff-js-api-changes action was comparing main to main instead of comparing the PR head to the point of main it branched from.

The workflow now:

  1. Checks out main in danger-pr.yml to get the trusted scripts
  2. Fetches the PR head commit and computes the merge base (the point it branched from main)
  3. Extracts the API snapshots from both refs using git show to read-only temp files
  4. Runs main's diff script to compare the two snapshots

Security notes:

  • git fetch only downloads git objects, it does not modify the working directory
  • git show <sha>:path extracts a file as read-only data, not executable code
  • All executed scripts come from main (trusted), PR content is only used as data
  • The PR's .d.ts file is written to a temp directory and passed as input to main's diff script

Differential Revision: D90978905

@emily8rown @facebook-github-bot
Fix diff-js-api-changes to compare PR head vs merge base
844bc6e 
Summary:
[INTERNAL] [FIXED] - Fix diff-js-api-changes workflow to correctly compare PR head vs merge base

The `diff-js-api-changes` action was comparing main to main instead of comparing the PR head to the point of main it branched from.

The workflow now:
1. Checks out main in `danger-pr.yml` to get the trusted scripts
2. Fetches the PR head commit and computes the merge base (the point it branched from main)
3. Extracts the API snapshots from both refs using `git show` to read-only temp files
4. Runs main's diff script to compare the two snapshots

**Security notes:** 
- `git fetch` only downloads git objects, it does not modify the working directory
- `git show <sha>:path` extracts a file as read-only data, not executable code
- All executed scripts come from main (trusted), PR content is only used as data
- The PR's `.d.ts` file is written to a temp directory and passed as input to main's diff script

Differential Revision: D90978905
@meta-cla meta-cla bot added the CLA Signed This label is managed by the Facebook bot. Authors need to sign the CLA before a PR can be reviewed. label Jan 20, 2026
@meta-codesync
Copy link

meta-codesync bot commented Jan 20, 2026

@emily8rown has exported this pull request. If you are a Meta employee, you can view the originating Diff in D90978905.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

CLA Signed This label is managed by the Facebook bot. Authors need to sign the CLA before a PR can be reviewed. fb-exported meta-exported p: Facebook Partner: Facebook Partner

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@emily8rown @facebook-github-bot