Maintenance: package size report failing

[dreamorosi]

Bug description

The newly merged "Package size report" step in our CI/CD is currently failing for all executions, see example here.

Expected Behavior

Step should be succeeding and report the size.

Current Behavior

It fails

Possible Solution

N/A

Steps to Reproduce

N/A

Environment

• Powertools version used:
• Packaging format (Layers, npm):
• AWS Lambda function runtime:
• Debugging logs:

Related issues, RFCs

#878

[flochaz]

Dependabot only have Read-only permission (https://github.blog/changelog/2021-02-19-github-actions-workflows-triggered-by-dependabot-prs-will-run-with-read-only-permissions/) . Need to investigate what is the best to give only permission to comment (and read https://securitylab.github.com/research/github-actions-preventing-pwn-requests/)

[dreamorosi]

Okay, so this issue would happen only for dependant's PRs?

For PR that come from real users would it work fine? And what about from forks?

[flochaz]

PR from fork won't work neither.
Changing to pull_request_target with an explicit PR checkout would most likely work but is opening vulnerability (https://securitylab.github.com/research/github-actions-preventing-pwn-requests/). Risk can be mitigated with what we already have (need of approval before workflow run for forked PR) or add label check (see https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ for more details on that).

But the recommended approach would be to split in 2 flows : one to build and capture all the actions outputs in a dedicated workflow triggered on pull_request and have a chain workflow to add comment with write permission ...

[dreamorosi]

Oh I see what you mean, check this PR that I was working a year ago that used data artifacts from one workflow and then used them to do something.

Thanks for looking into this!

[flochaz]

Oh I see what you mean, check this PR that I was working a year ago that used data artifacts from one workflow and then used them to do something.

Thanks for looking into this!

But I need to change the way the action work, will propose a fix asap

[dreamorosi]

yes sorry, didn't mean to say it was a solution, I was just sharing in case it was helpful

[dreamorosi]

Wanted to leave here some info to keep the issue up to date with the current state of events:

• We have disabled Dependabot automatic PRs for regular updates in chore: disable dependabot for dependencies upgrades #992 - this means the number of Dependabot PRs will considerable decrease and be limited to security-related updates
• For any kind of Dependabot PR I have found out that manually re-running the actions (i.e. after they have failed) removes the issue (example)
• Considering the previous two points we currently think it's acceptable to have to manually re-run these actions given the low and sporadic amount of PRs coming from the bot
• Alternatives such as GitHub Actions Job Summaries, paired with a threshold of the % increase that would make the action fail altogether could potentially remove the permission issue around comments

[github-actions]

⚠️ COMMENT VISIBILITY WARNING ⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

[dreamorosi]

Released as a part of v1.1.0