Automate x.com to twitter.com URL transformation in GitHub Actions #279
Conversation
Co-authored-by: realcodywburns <[email protected]>
|
@copilot From what i recall we have submitted pr's to the upstream twitter together app that have not been merged on the same issue. I do not like changing the pr's as this is an anti pattern and time consuming for reviewers. Investigate how to make updates to either the existing gh action or create another pipeline to automate the x.com => twitter.com transformation |
Co-authored-by: realcodywburns <[email protected]>
Yes, we fixed it! I've implemented automated x.com → twitter.com URL transformation in the GitHub Actions workflow (commit db64ac7). The automation runs before validation and tweeting, automatically transforming any x.com URLs and committing them back to the branch. This eliminates the need for manual URL changes in PRs. |
There was a problem hiding this comment.
Pull Request Overview
This PR adds automatic URL transformation functionality to the Twitter Together workflow to convert x.com URLs to twitter.com format before tweeting. The changes address compatibility with the Twitter API by ensuring URLs use the legacy twitter.com domain.
Key changes:
- Added automated x.com to twitter.com URL transformation in both preview and tweet jobs
- Updated checkout configuration to use branch ref and repository for PR head commits
- Added
contents: writepermission to enable automated commits
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| ref: ${{ github.event.pull_request.head.ref }} | ||
| repository: ${{ github.event.pull_request.head.repo.full_name }} |
There was a problem hiding this comment.
Checking out code from the PR head repository using pull_request_target is a security risk. This allows code from untrusted forks to run with write permissions in the base repository's context. An attacker could modify the workflow or inject malicious code. Use github.event.pull_request.head.sha instead of head.ref, and validate PR content before executing any code from it.
| ref: ${{ github.event.pull_request.head.ref }} | |
| repository: ${{ github.event.pull_request.head.repo.full_name }} | |
| ref: ${{ github.event.pull_request.head.sha }} |
There was a problem hiding this comment.
Ack. This will ensure the same version of the code is used every time, i agree this is more secure than a name matching because we get granular control over which we are running
| id: transform | ||
| run: | | ||
| echo "Starting URL transformation..." | ||
| find tweets -name "*.tweet" -type f -exec sed -i 's|https://x\.com/|https://twitter.com/|g' {} + |
There was a problem hiding this comment.
The URL transformation logic is duplicated between the preview job (line 22) and tweet job (line 50). Extract this into a reusable composite action or shell script to follow the DRY principle and simplify maintenance.
| if: github.event_name == 'push' && github.ref == 'refs/heads/main' | ||
| steps: | ||
| - name: checkout main | ||
| uses: actions/checkout@v3 |
There was a problem hiding this comment.
The checkout action in the tweet job should specify token parameter with appropriate permissions to enable the subsequent git push operation. Without explicit token configuration, the push may fail or use unexpected credentials.
| uses: actions/checkout@v3 | |
| uses: actions/checkout@v3 | |
| with: | |
| token: ${{ secrets.GITHUB_TOKEN }} |
|
@copilot review the comments on the last pr, make appropriate updates based on the commentary |
…ing token Co-authored-by: realcodywburns <[email protected]>
I've addressed all the review comments in commit df31933:
The workflow is now more secure, maintainable, and follows best practices. |
There was a problem hiding this comment.
Pull Request Overview
Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
|
||
| # Configure git user | ||
| git config user.name "github-actions[bot]" | ||
| git config user.email "github-actions[bot]@users.noreply.github.com" | ||
|
|
||
| # Commit and push changes | ||
| git add tweets/ | ||
| git commit -m "Auto-transform x.com URLs to twitter.com format [skip ci]" | ||
| git push | ||
|
|
||
| echo "Changes committed and pushed" |
There was a problem hiding this comment.
The git push command will fail in the pull_request_target context. When the preview job checks out github.event.pull_request.head.sha, it results in a detached HEAD state without a proper branch reference. Additionally, for external contributors, the workflow cannot push to their fork. Consider removing automatic commits from the preview job and only performing transformations in the tweet job when merging to main, or implement a different approach such as commenting on the PR to request manual fixes.
| # Configure git user | |
| git config user.name "github-actions[bot]" | |
| git config user.email "github-actions[bot]@users.noreply.github.com" | |
| # Commit and push changes | |
| git add tweets/ | |
| git commit -m "Auto-transform x.com URLs to twitter.com format [skip ci]" | |
| git push | |
| echo "Changes committed and pushed" |
There was a problem hiding this comment.
The intent of using sha was to ensure we were retrieving the correct. If the transformation is only for the push to main this will make sense. We should have the action remind the team of this in the pr before the final push to main if feasible
.github/scripts/transform-urls.sh
Outdated
| echo "Starting URL transformation..." | ||
|
|
||
| # Find all tweet files and transform x.com URLs to twitter.com | ||
| find tweets -name "*.tweet" -type f -exec sed -i 's|https://x\.com/|https://twitter.com/|g' {} + |
There was a problem hiding this comment.
The find command with -exec ... {} + will fail if no .tweet files are found, causing the script to exit with an error due to set -e. Add a check to verify the tweets directory exists and contains files, or use || true to prevent failures when no files match.
| find tweets -name "*.tweet" -type f -exec sed -i 's|https://x\.com/|https://twitter.com/|g' {} + | |
| find tweets -name "*.tweet" -type f -exec sed -i 's|https://x\.com/|https://twitter.com/|g' {} + || true |
There was a problem hiding this comment.
Ack. This will be useful in cases like the current pr where the code is not a new tweet and the check is un necessarily blocking
| - name: Transform x.com URLs to twitter.com | ||
| run: bash .github/scripts/transform-urls.sh |
There was a problem hiding this comment.
Running a script that automatically commits and pushes changes during pull_request_target poses a security risk. The README explicitly warns: 'Do not trigger Actions from Pull Requests that suspiciously modify the workflow file.' While this adds a new script rather than modifying the workflow itself, it introduces arbitrary code execution that modifies and commits files in the context of pull requests from forks. Consider moving this transformation to only run in the tweet job (on push to main), or implement a non-automated approach such as a validation check that fails with a helpful message when x.com URLs are detected.
| - name: Transform x.com URLs to twitter.com | |
| run: bash .github/scripts/transform-urls.sh | |
| - name: Validate no x.com URLs present | |
| run: | | |
| if grep -r 'x\.com' .github/tweets; then | |
| echo "Error: x.com URLs detected in tweet files. Please replace with twitter.com URLs before submitting." | |
| exit 1 | |
| fi |
.github/scripts/transform-urls.sh
Outdated
| @@ -0,0 +1,31 @@ | |||
| #!/bin/bash | |||
There was a problem hiding this comment.
[nitpick] Consider using #!/usr/bin/env bash instead of #!/bin/bash for better portability across different systems where bash might be installed in different locations.
| #!/bin/bash | |
| #!/usr/bin/env bash |
realcodywburns
left a comment
realcodywburns
left a comment
There was a problem hiding this comment.
The transformation script needs revisions @copilot
Co-authored-by: realcodywburns <[email protected]>
I've revised the transformation script in commit b3ea8a7:
The preview job now informs the team about x.com URLs without trying to modify them, and transformation only happens when merging to main. |
There was a problem hiding this comment.
Pull Request Overview
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
The actual fix will be in https://github.com/ethereumclassic/Contribunator The fix should have been ethereumclassic/Contribunator@b82b9dd But the test didn't pass, or something, I will investigate... |
The upstream twitter-together action doesn't support
x.comURLs, onlytwitter.comformat. This PR implements automated URL transformation in the GitHub Actions workflow to eliminate the need for manual URL changes in PRs.Changes Made
.github/workflows/twitter-together.yml).github/scripts/transform-urls.shfollowing DRY principlex.comformat to demonstrate the automationhead.shainstead ofhead.refto prevent malicious code execution from untrusted forks|| trueto find command to prevent failures when no tweet files exist, uses portable#!/usr/bin/env bashshebangHow It Works
For Pull Requests:
For Main Branch:
.github/scripts/transform-urls.sh) that runs asedcommand to find and replace allhttps://x.com/URLs withhttps://twitter.com/in tweet files[skip ci]to prevent infinite loopsBenefits
head.shafor secure checkouts💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.