From 6ec831019d7a158c5ef0b1b8fb5235f15b4b5fe5 Mon Sep 17 00:00:00 2001 From: Antony Chiu Date: Fri, 8 May 2026 11:41:42 -0600 Subject: [PATCH 1/3] fix: remove artifact storage usage in review action [SUP-84] The upload-artifact/checkout/download-artifact dance existed solely to preserve the SAST report file across a destructive second checkout. The checkout itself was a workaround for GITHUB_SHA pointing to a synthetic merge commit on pull_request events. Both workarounds are unnecessary now: - The real PR head SHA is available at github.event.pull_request.head.sha - The repo URL is derivable from github.server_url/github.repository - mobbdev no longer needs the local workspace (-p . removed in 6c55ca0) This eliminates artifact storage usage on every PR, which was filling customer GitHub storage quotas. --- review/action.yml | 28 +++------------------------- 1 file changed, 3 insertions(+), 25 deletions(-) diff --git a/review/action.yml b/review/action.yml index 1ce4d2d..73436f7 100644 --- a/review/action.yml +++ b/review/action.yml @@ -26,40 +26,18 @@ outputs: runs: using: "composite" steps: - # save report since the checkout step deletes it - - uses: actions/upload-artifact@v4 - id: vul-report-upload - with: - name: vul-report - path: ${{ inputs.report-file }} - run: echo "Artifact ID is ${{ steps.vul-report-upload.outputs.artifact-id }}" - shell: bash -l {0} - - # needed since we get wrong hash. this step deletes the report file, so need to save it beforehand - - uses: actions/checkout@v3 - name: checkout-to-branch - with: - ref: ${{ github.head_ref }} - - # restore the report file - - uses: actions/download-artifact@v4 - with: - name: vul-report - path: results - - uses: actions/setup-node@v3.6.0 with: node-version: 18 - id: run-npx-mobb-dev run: | - REPO=$(git remote get-url origin) - REPO=${REPO%".git"} + REPO="${{ github.server_url }}/${{ github.repository }}" GITHUB_TOKEN=${{ inputs.github-token }} SCANNER=${{ inputs.scanner }} - COMMIT_HASH=$(git rev-parse $GITHUB_HEAD_REF) + COMMIT_HASH="${{ github.event.pull_request.head.sha }}" PR_NUMBER=${{ github.event.pull_request.number }} - VUL_FILE_PATH=results/$(basename ${{ inputs.report-file }}) + VUL_FILE_PATH="${{ inputs.report-file }}" MobbExecString="npx --yes mobbdev@latest review -r $REPO --ref $GITHUB_HEAD_REF --ch $COMMIT_HASH --api-key ${{ inputs.api-key }} -f $VUL_FILE_PATH --pr $PR_NUMBER --github-token ${{ inputs.github-token }} --scanner $SCANNER" # Check if mobb-project-name exists and append it From ff5484813c6df55da392c2972002c6027d77c273 Mon Sep 17 00:00:00 2001 From: Antony Chiu Date: Fri, 8 May 2026 11:59:00 -0600 Subject: [PATCH 2/3] fix: bump setup-node to v20 --- review/action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/review/action.yml b/review/action.yml index 73436f7..7b317fa 100644 --- a/review/action.yml +++ b/review/action.yml @@ -28,7 +28,7 @@ runs: steps: - uses: actions/setup-node@v3.6.0 with: - node-version: 18 + node-version: 20 - id: run-npx-mobb-dev run: | From 26ba29ab7c51022bb8feda1682e4cd9198d6c308 Mon Sep 17 00:00:00 2001 From: Antony Chiu Date: Fri, 8 May 2026 12:52:43 -0600 Subject: [PATCH 3/3] fix: bump root action setup-node to v20 --- action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/action.yml b/action.yml index 34d6dd8..9585798 100644 --- a/action.yml +++ b/action.yml @@ -35,7 +35,7 @@ runs: steps: - uses: actions/setup-node@v3.6.0 with: - node-version: 18 + node-version: 20 - id: run-npx-mobb-dev run: | REPO=$(git remote get-url origin)