Skip to content

Fix diff-js-api-changes to compare PR head vs merge base#55245

Closed
emily8rown wants to merge 1 commit intofacebook:mainfrom
emily8rown:export-D90978905
Closed

Fix diff-js-api-changes to compare PR head vs merge base#55245
emily8rown wants to merge 1 commit intofacebook:mainfrom
emily8rown:export-D90978905

Conversation

@emily8rown
Copy link
Contributor

@emily8rown emily8rown commented Jan 20, 2026

Summary:
[INTERNAL] [FIXED] - Fix diff-js-api-changes workflow to correctly compare PR head vs merge base

The diff-js-api-changes action was comparing main to main instead of comparing the PR head to the point of main it branched from.

The workflow now:

  1. Checks out main in danger-pr.yml to get the trusted scripts
  2. Fetches the PR head commit and computes the merge base (the point it branched from main)
  3. Extracts the API snapshots from both refs using git show to read-only temp files
  4. Runs main's diff script to compare the two snapshots

Security notes:

  • git fetch only downloads git objects, it does not modify the working directory
  • git show <sha>:path extracts a file as read-only data, not executable code
  • All executed scripts come from main (trusted), PR content is only used as data
  • The PR's .d.ts file is written to a temp directory and passed as input to main's diff script

Differential Revision: D90978905

@meta-cla meta-cla bot added the CLA Signed This label is managed by the Facebook bot. Authors need to sign the CLA before a PR can be reviewed. label Jan 20, 2026
@meta-codesync
Copy link

meta-codesync bot commented Jan 20, 2026

@emily8rown has exported this pull request. If you are a Meta employee, you can view the originating Diff in D90978905.

@emily8rown @facebook-github-bot
Fix diff-js-api-changes to compare PR head vs merge base (facebook#55245
f22d835 
)

Summary:

[INTERNAL] [FIXED] - Fix diff-js-api-changes workflow to correctly compare PR head vs merge base

The `diff-js-api-changes` action was comparing main to main instead of comparing the PR head to the point of main it branched from.

The workflow now:
1. Checks out main in `danger-pr.yml` to get the trusted scripts
2. Fetches the PR head commit and computes the merge base (the point it branched from main)
3. Extracts the API snapshots from both refs using `git show` to read-only temp files
4. Runs main's diff script to compare the two snapshots

**Security notes:**
- `git fetch` only downloads git objects, it does not modify the working directory
- `git show <sha>:path` extracts a file as read-only data, not executable code
- All executed scripts come from main (trusted), PR content is only used as data
- The PR's `.d.ts` file is written to a temp directory and passed as input to main's diff script

Reviewed By: huntie

Differential Revision: D90978905
@meta-codesync meta-codesync bot closed this in 3782e93 Jan 29, 2026
@facebook-github-bot facebook-github-bot added the Merged This PR has been merged. label Jan 29, 2026
@meta-codesync
Copy link

meta-codesync bot commented Jan 29, 2026

This pull request has been merged in 3782e93.

@react-native-bot
Copy link
Collaborator

react-native-bot commented Jan 29, 2026

This pull request was successfully merged by @emily8rown in 3782e93

When will my fix make it into a release? | How to file a pick request?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

CLA Signed This label is managed by the Facebook bot. Authors need to sign the CLA before a PR can be reviewed. fb-exported Merged This PR has been merged. meta-exported p: Facebook Partner: Facebook Partner

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@emily8rown @react-native-bot @facebook-github-bot