Skip to content

fix: remove artifact storage usage in review action [SUP-84]#36

Open
antonychiu2 wants to merge 3 commits intomainfrom
antony/sup-84-review-action-fills-github-artifact-storage-on-every-pr
Open

fix: remove artifact storage usage in review action [SUP-84]#36
antonychiu2 wants to merge 3 commits intomainfrom
antony/sup-84-review-action-fills-github-artifact-storage-on-every-pr

Conversation

@antonychiu2
Copy link
Copy Markdown
Collaborator

@antonychiu2 antonychiu2 commented May 8, 2026

Summary

  • Removes the actions/upload-artifact / actions/checkout / actions/download-artifact chain from review/action.yml
  • Replaces shell-derived values with GitHub Actions context: REPO, COMMIT_HASH, VUL_FILE_PATH
  • Eliminates artifact storage usage on every PR run

Why

A customer reported that the review action fills their GitHub artifact storage quota because it runs on every PR. Investigation showed the artifact upload existed only to preserve the SAST report file across a destructive second actions/checkout. That checkout itself was a workaround for GITHUB_SHA pointing to a synthetic merge commit on pull_request events.

Both workarounds are unnecessary:

  • Real PR head SHA → github.event.pull_request.head.sha
  • Repo URL → github.server_url/github.repository
  • mobbdev no longer needs the local workspace (-p . was removed in 6c55ca0)

Linear: SUP-84

Test plan

  • Verify the action runs end-to-end on a PR with a SAST report
  • Confirm fix-report-url is produced and the GitHub status check is set
  • Confirm no artifact named vul-report is created in the run
  • Verify the commit SHA passed to mobbdev matches the PR head commit (not the merge commit)

antonychiu2 added 3 commits May 8, 2026 11:41
@antonychiu2
fix: remove artifact storage usage in review action [SUP-84]
6ec8310 
The upload-artifact/checkout/download-artifact dance existed solely to
preserve the SAST report file across a destructive second checkout. The
checkout itself was a workaround for GITHUB_SHA pointing to a synthetic
merge commit on pull_request events.

Both workarounds are unnecessary now:
- The real PR head SHA is available at github.event.pull_request.head.sha
- The repo URL is derivable from github.server_url/github.repository
- mobbdev no longer needs the local workspace (-p . removed in 6c55ca0)

This eliminates artifact storage usage on every PR, which was filling
customer GitHub storage quotas.
@antonychiu2
fix: bump setup-node to v20
ff54848
@antonychiu2
fix: bump root action setup-node to v20
26ba29a
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 8, 2026

image No security issues were found ✅

Awesome! No vulnerabilities were found by CodeQL in the changes made as part of this PR.
Please notice there are issues in this repo that are unrelated to this PR.

@antonychiu2 antonychiu2 requested review from mobbjon and yhaggai May 8, 2026 22:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mobbjon mobbjon mobbjon approved these changes

@yhaggai yhaggai Awaiting requested review from yhaggai

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@antonychiu2 @mobbjon