Skip to content

ci(frontend): add react-doctor check for landing site #151

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
harshitsinghbhandari merged 3 commits into from
Jun 7, 2026
Merged

ci(frontend): add react-doctor check for landing site #151

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
7382823
ci(frontend): add react-doctor check for landing site
harshitsinghbhandari Jun 6, 2026
0703547
ci(frontend): also scope react-doctor push trigger to landing paths
harshitsinghbhandari Jun 6, 2026
9d33710
ci(frontend): use react-doctor GitHub Action, drop devDep + lockfile …
harshitsinghbhandari Jun 7, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
32 changes: 32 additions & 0 deletions .github/workflows/react-doctor.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
name: React Doctor

on:
push:
branches: [main]
paths:
- "frontend/src/landing/**"
- ".github/workflows/react-doctor.yml"
pull_request:
paths:
- "frontend/src/landing/**"
- ".github/workflows/react-doctor.yml"
Comment thread
greptile-apps[bot] marked this conversation as resolved.

permissions:
contents: read
pull-requests: write
statuses: write

jobs:
doctor:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4

# Composite action: installs react-doctor itself, runs the scan against
# the landing site, posts a sticky PR summary + inline review comments,
# and publishes a commit status. Default blocking=error means only
# error-severity findings fail the job; warnings are reported but don't
# block.
- uses: millionco/react-doctor@v2

@greptile-apps greptile-apps Bot Jun 7, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 security Unpinned mutable action tag with write permissions

millionco/react-doctor@v2 is a floating tag; if the upstream repo moves that tag to a new commit (accidentally or due to a supply-chain compromise), arbitrary code will run with pull-requests: write and statuses: write on every triggered workflow. The react-doctor docs explicitly call out this exact scenario: "For hardened CI — recommended whenever the workflow is granted pull-requests: write — pin to a full commit SHA instead and let Dependabot or Renovate keep it current." Pinning to the SHA of the current v2 head and adding a Dependabot/Renovate entry for the action removes the risk while keeping the version current.

with:
directory: frontend/src/landing
Loading