Skip to content

CI: drop setup-command input from reusable community-world workflows#1828

Open
pranaygp wants to merge 2 commits intomainfrom
pranaygp/drop-setup-command-input-v2
Open

CI: drop setup-command input from reusable community-world workflows#1828
pranaygp wants to merge 2 commits intomainfrom
pranaygp/drop-setup-command-input-v2

Conversation

@pranaygp
Copy link
Copy Markdown
Contributor

@pranaygp pranaygp commented Apr 22, 2026

Summary

  • Remove setup-command input from the reusable e2e-community-world.yml and benchmark-community-world.yml workflows and stop forwarding matrix.world.setup-command from tests.yml / benchmarks.yml.
  • Replace the pass-through + eval with a hardcoded per-world-id case statement (only turso currently needs a setup step).
  • Drop the setup-command field from scripts/create-community-worlds-matrix.mjs output.

The community-world matrix is generated by running that script in the fork PR's checkout, so every field on it is attacker-controlled. Forwarding the value into the reusable workflow and eval-ing it inside allowed a malicious fork PR to execute arbitrary shell on the runner.

Test plan

  • CI runs the community-world jobs and turso still passes its setup step.

@pranaygp
drop setup-command input from reusable community-world workflows
d9feca0 
The community-world matrix is produced by running
scripts/create-community-worlds-matrix.mjs in the fork PR's checkout,
so any field on it is attacker-controlled. Forwarding
matrix.world.setup-command into the reusable workflow and eval-ing it
let a malicious fork PR execute arbitrary shell on the runner.

Replace the pass-through with a hardcoded per-world-id case in the
reusable workflows (only turso currently needs a setup step) and drop
the setup field from the matrix generator.
Copilot AI review requested due to automatic review settings April 22, 2026 20:02
@changeset-bot
Copy link
Copy Markdown

changeset-bot Bot commented Apr 22, 2026
edited
Loading

🦋 Changeset detected

Latest commit: 9cf6b2b

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 0 packages

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@vercel
Copy link
Copy Markdown
Contributor

vercel Bot commented Apr 22, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
example-nextjs-workflow-turbopack Ready Ready Preview, Comment Apr 22, 2026 8:20pm
example-nextjs-workflow-webpack Ready Ready Preview, Comment Apr 22, 2026 8:20pm
example-workflow Ready Ready Preview, Comment Apr 22, 2026 8:20pm
workbench-astro-workflow Ready Ready Preview, Comment Apr 22, 2026 8:20pm
workbench-express-workflow Ready Ready Preview, Comment Apr 22, 2026 8:20pm
workbench-fastify-workflow Ready Ready Preview, Comment Apr 22, 2026 8:20pm
workbench-hono-workflow Ready Ready Preview, Comment Apr 22, 2026 8:20pm
workbench-nitro-workflow Ready Ready Preview, Comment Apr 22, 2026 8:20pm
workbench-nuxt-workflow Ready Ready Preview, Comment Apr 22, 2026 8:20pm
workbench-sveltekit-workflow Ready Ready Preview, Comment Apr 22, 2026 8:20pm
workbench-vite-workflow Ready Ready Preview, Comment Apr 22, 2026 8:20pm
workflow-docs Ready Ready Preview, Comment, Open in v0 Apr 22, 2026 8:20pm
workflow-swc-playground Ready Ready Preview, Comment Apr 22, 2026 8:20pm
workflow-web Ready Ready Preview, Comment Apr 22, 2026 8:20pm

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Apr 22, 2026
edited
Loading

🧪 E2E Test Results

All tests passed

Summary

Passed Failed Skipped Total
✅ 💻 Local Development 1054 0 86 1140
✅ 📦 Local Production 1054 0 86 1140
✅ 🐘 Local Postgres 1054 0 86 1140
✅ 🪟 Windows 95 0 0 95
✅ 📋 Other 267 0 18 285
Total 3524 0 276 3800

Details by Category

✅ 💻 Local Development
App Passed Failed Skipped
✅ astro-stable 89 0 6
✅ express-stable 89 0 6
✅ fastify-stable 89 0 6
✅ hono-stable 89 0 6
✅ nextjs-turbopack-canary 76 0 19
✅ nextjs-turbopack-stable 95 0 0
✅ nextjs-webpack-canary 76 0 19
✅ nextjs-webpack-stable 95 0 0
✅ nitro-stable 89 0 6
✅ nuxt-stable 89 0 6
✅ sveltekit-stable 89 0 6
✅ vite-stable 89 0 6
✅ 📦 Local Production
App Passed Failed Skipped
✅ astro-stable 89 0 6
✅ express-stable 89 0 6
✅ fastify-stable 89 0 6
✅ hono-stable 89 0 6
✅ nextjs-turbopack-canary 76 0 19
✅ nextjs-turbopack-stable 95 0 0
✅ nextjs-webpack-canary 76 0 19
✅ nextjs-webpack-stable 95 0 0
✅ nitro-stable 89 0 6
✅ nuxt-stable 89 0 6
✅ sveltekit-stable 89 0 6
✅ vite-stable 89 0 6
✅ 🐘 Local Postgres
App Passed Failed Skipped
✅ astro-stable 89 0 6
✅ express-stable 89 0 6
✅ fastify-stable 89 0 6
✅ hono-stable 89 0 6
✅ nextjs-turbopack-canary 76 0 19
✅ nextjs-turbopack-stable 95 0 0
✅ nextjs-webpack-canary 76 0 19
✅ nextjs-webpack-stable 95 0 0
✅ nitro-stable 89 0 6
✅ nuxt-stable 89 0 6
✅ sveltekit-stable 89 0 6
✅ vite-stable 89 0 6
✅ 🪟 Windows
App Passed Failed Skipped
✅ nextjs-turbopack 95 0 0
✅ 📋 Other
App Passed Failed Skipped
✅ e2e-local-dev-nest-stable 89 0 6
✅ e2e-local-postgres-nest-stable 89 0 6
✅ e2e-local-prod-nest-stable 89 0 6

📋 View full workflow run

Some E2E test jobs failed:

  • Vercel Prod: failure
  • Local Dev: success
  • Local Prod: success
  • Local Postgres: success
  • Windows: success

Check the workflow run for details.

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Apr 22, 2026
edited
Loading

📊 Benchmark Results

📈 Comparing against baseline from main branch. Green 🟢 = faster, Red 🔺 = slower.

workflow with no steps

💻 Local Development

World Framework Workflow Time Wall Time Overhead Samples vs Fastest
💻 Local 🥇 Nitro 0.038s (-11.8% 🟢) 1.005s (~) 0.967s 10 1.00x
💻 Local Express 0.041s (-8.4% 🟢) 1.005s (~) 0.964s 10 1.07x
🐘 Postgres Express 0.047s (-18.4% 🟢) 1.010s (~) 0.963s 10 1.24x
🐘 Postgres Next.js (Turbopack) 0.055s 1.010s 0.955s 10 1.44x
🐘 Postgres Nitro 0.067s (-29.9% 🟢) 1.010s (-3.2%) 0.943s 10 1.76x
💻 Local Next.js (Turbopack) ⚠️ missing - - - -
workflow with 1 step

💻 Local Development

World Framework Workflow Time Wall Time Overhead Samples vs Fastest
💻 Local 🥇 Nitro 1.100s (-2.8%) 2.005s (~) 0.905s 10 1.00x
🐘 Postgres Express 1.116s (-2.7%) 2.010s (~) 0.894s 10 1.01x
🐘 Postgres Next.js (Turbopack) 1.129s 2.007s 0.878s 10 1.03x
💻 Local Express 1.134s (+0.8%) 2.006s (~) 0.872s 10 1.03x
🐘 Postgres Nitro 1.149s (+0.8%) 2.009s (~) 0.860s 10 1.05x
💻 Local Next.js (Turbopack) ⚠️ missing - - - -
workflow with 10 sequential steps

💻 Local Development

World Framework Workflow Time Wall Time Overhead Samples vs Fastest
🐘 Postgres 🥇 Express 10.698s (-2.4%) 11.023s (~) 0.325s 3 1.00x
💻 Local Nitro 10.704s (-2.2%) 11.028s (~) 0.324s 3 1.00x
🐘 Postgres Next.js (Turbopack) 10.836s 11.018s 0.182s 3 1.01x
🐘 Postgres Nitro 10.869s (~) 11.020s (~) 0.151s 3 1.02x
💻 Local Express 10.932s (~) 11.023s (~) 0.091s 3 1.02x
💻 Local Next.js (Turbopack) ⚠️ missing - - - -
workflow with 25 sequential steps

💻 Local Development

World Framework Workflow Time Wall Time Overhead Samples vs Fastest
🐘 Postgres 🥇 Express 14.110s (-3.2%) 15.023s (~) 0.913s 4 1.00x
🐘 Postgres Next.js (Turbopack) 14.358s 15.025s 0.667s 4 1.02x
💻 Local Nitro 14.372s (-4.6%) 15.029s (-6.2% 🟢) 0.658s 4 1.02x
🐘 Postgres Nitro 14.549s (~) 15.024s (~) 0.476s 4 1.03x
💻 Local Express 14.953s (~) 15.030s (~) 0.077s 4 1.06x
💻 Local Next.js (Turbopack) ⚠️ missing - - - -
workflow with 50 sequential steps

💻 Local Development

World Framework Workflow Time Wall Time Overhead Samples vs Fastest
🐘 Postgres 🥇 Express 13.023s (-7.0% 🟢) 13.448s (-7.8% 🟢) 0.425s 7 1.00x
🐘 Postgres Next.js (Turbopack) 13.719s 14.019s 0.300s 7 1.05x
🐘 Postgres Nitro 13.926s (~) 14.165s (-1.0%) 0.239s 7 1.07x
💻 Local Nitro 15.225s (-9.3% 🟢) 16.031s (-5.9% 🟢) 0.807s 6 1.17x
💻 Local Express 16.340s (-1.6%) 17.030s (~) 0.690s 6 1.25x
💻 Local Next.js (Turbopack) ⚠️ missing - - - -
Promise.all with 10 concurrent steps

💻 Local Development

World Framework Workflow Time Wall Time Overhead Samples vs Fastest
🐘 Postgres 🥇 Express 1.202s (-4.6%) 2.009s (~) 0.807s 15 1.00x
🐘 Postgres Next.js (Turbopack) 1.233s 2.010s 0.777s 15 1.03x
🐘 Postgres Nitro 1.274s (~) 2.009s (~) 0.735s 15 1.06x
💻 Local Nitro 1.491s (-8.6% 🟢) 2.006s (-3.3%) 0.515s 15 1.24x
💻 Local Express 1.533s (+3.0%) 2.005s (~) 0.472s 15 1.28x
💻 Local Next.js (Turbopack) ⚠️ missing - - - -
Promise.all with 25 concurrent steps

💻 Local Development

World Framework Workflow Time Wall Time Overhead Samples vs Fastest
🐘 Postgres 🥇 Express 2.309s (-2.2%) 3.009s (~) 0.699s 10 1.00x
🐘 Postgres Nitro 2.375s (+1.0%) 3.008s (~) 0.633s 10 1.03x
🐘 Postgres Next.js (Turbopack) 2.390s 3.010s 0.619s 10 1.04x
💻 Local Express 2.774s (-6.1% 🟢) 3.007s (-12.9% 🟢) 0.233s 10 1.20x
💻 Local Nitro 2.816s (-10.4% 🟢) 3.108s (-20.0% 🟢) 0.292s 10 1.22x
💻 Local Next.js (Turbopack) ⚠️ missing - - - -
Promise.all with 50 concurrent steps

💻 Local Development

World Framework Workflow Time Wall Time Overhead Samples vs Fastest
🐘 Postgres 🥇 Express 3.413s (-2.1%) 4.008s (~) 0.596s 8 1.00x
🐘 Postgres Nitro 3.476s (~) 4.011s (~) 0.534s 8 1.02x
🐘 Postgres Next.js (Turbopack) 3.628s 4.008s 0.380s 8 1.06x
💻 Local Express 7.228s (-13.3% 🟢) 8.023s (-11.1% 🟢) 0.794s 4 2.12x
💻 Local Nitro 7.429s (-11.0% 🟢) 8.017s (-11.1% 🟢) 0.587s 4 2.18x
💻 Local Next.js (Turbopack) ⚠️ missing - - - -
Promise.race with 10 concurrent steps

💻 Local Development

World Framework Workflow Time Wall Time Overhead Samples vs Fastest
🐘 Postgres 🥇 Express 1.212s (-3.6%) 2.008s (~) 0.797s 15 1.00x
🐘 Postgres Next.js (Turbopack) 1.226s 2.009s 0.783s 15 1.01x
🐘 Postgres Nitro 1.264s (+0.6%) 2.008s (~) 0.744s 15 1.04x
💻 Local Express 1.530s (-19.2% 🟢) 2.006s (-15.1% 🟢) 0.475s 15 1.26x
💻 Local Nitro 1.648s (-11.7% 🟢) 2.149s (-8.2% 🟢) 0.501s 14 1.36x
💻 Local Next.js (Turbopack) ⚠️ missing - - - -
Promise.race with 25 concurrent steps

💻 Local Development

World Framework Workflow Time Wall Time Overhead Samples vs Fastest
🐘 Postgres 🥇 Express 2.279s (-2.7%) 3.010s (~) 0.730s 10 1.00x
🐘 Postgres Nitro 2.317s (-0.9%) 3.009s (~) 0.692s 10 1.02x
🐘 Postgres Next.js (Turbopack) 2.378s 3.009s 0.631s 10 1.04x
💻 Local Nitro 2.784s (-9.2% 🟢) 3.007s (-22.6% 🟢) 0.223s 10 1.22x
💻 Local Express 2.860s (-8.7% 🟢) 3.209s (-14.7% 🟢) 0.350s 10 1.25x
💻 Local Next.js (Turbopack) ⚠️ missing - - - -
Promise.race with 50 concurrent steps

💻 Local Development

World Framework Workflow Time Wall Time Overhead Samples vs Fastest
🐘 Postgres 🥇 Express 3.402s (-2.8%) 4.012s (~) 0.610s 8 1.00x
🐘 Postgres Nitro 3.465s (~) 4.011s (~) 0.546s 8 1.02x
🐘 Postgres Next.js (Turbopack) 3.634s 4.012s 0.378s 8 1.07x
💻 Local Nitro 7.813s (-14.6% 🟢) 8.268s (-17.5% 🟢) 0.455s 4 2.30x
💻 Local Express 7.851s (-10.8% 🟢) 8.518s (-8.1% 🟢) 0.668s 4 2.31x
💻 Local Next.js (Turbopack) ⚠️ missing - - - -
workflow with 10 sequential data payload steps (10KB)

💻 Local Development

World Framework Workflow Time Wall Time Overhead Samples vs Fastest
🐘 Postgres 🥇 Express 0.621s (-26.0% 🟢) 1.006s (-1.7%) 0.385s 60 1.00x
💻 Local Nitro 0.715s (-27.1% 🟢) 1.004s (-8.2% 🟢) 0.290s 60 1.15x
🐘 Postgres Next.js (Turbopack) 0.763s 1.023s 0.260s 59 1.23x
🐘 Postgres Nitro 0.801s (-2.4%) 1.006s (~) 0.205s 60 1.29x
💻 Local Express 1.008s (+2.5%) 1.468s (+36.5% 🔺) 0.460s 41 1.62x
💻 Local Next.js (Turbopack) ⚠️ missing - - - -
workflow with 25 sequential data payload steps (10KB)

💻 Local Development

World Framework Workflow Time Wall Time Overhead Samples vs Fastest
🐘 Postgres 🥇 Express 1.477s (-25.3% 🟢) 2.007s (-11.1% 🟢) 0.530s 45 1.00x
🐘 Postgres Next.js (Turbopack) 1.846s 2.007s 0.162s 45 1.25x
🐘 Postgres Nitro 1.893s (-1.8%) 2.076s (-1.2%) 0.183s 44 1.28x
💻 Local Nitro 2.301s (-24.2% 🟢) 3.008s (-20.0% 🟢) 0.706s 30 1.56x
💻 Local Express 3.025s (~) 3.689s (+2.9%) 0.664s 25 2.05x
💻 Local Next.js (Turbopack) ⚠️ missing - - - -
workflow with 50 sequential data payload steps (10KB)

💻 Local Development

World Framework Workflow Time Wall Time Overhead Samples vs Fastest
🐘 Postgres 🥇 Express 2.999s (-24.8% 🟢) 3.538s (-19.0% 🟢) 0.539s 34 1.00x
🐘 Postgres Next.js (Turbopack) 3.800s 4.042s 0.242s 30 1.27x
🐘 Postgres Nitro 3.822s (-6.9% 🟢) 4.009s (-12.9% 🟢) 0.188s 30 1.27x
💻 Local Nitro 7.517s (-19.2% 🟢) 8.016s (-20.0% 🟢) 0.499s 15 2.51x
💻 Local Express 8.924s (-3.1%) 9.324s (-6.9% 🟢) 0.400s 13 2.98x
💻 Local Next.js (Turbopack) ⚠️ missing - - - -
workflow with 10 concurrent data payload steps (10KB)

💻 Local Development

World Framework Workflow Time Wall Time Overhead Samples vs Fastest
🐘 Postgres 🥇 Express 0.233s (-17.6% 🟢) 1.007s (~) 0.774s 60 1.00x
🐘 Postgres Next.js (Turbopack) 0.248s 1.007s 0.759s 60 1.06x
🐘 Postgres Nitro 0.289s (+1.9%) 1.006s (~) 0.718s 60 1.24x
💻 Local Express 0.554s (-1.1%) 1.004s (~) 0.450s 60 2.38x
💻 Local Nitro 0.584s (-3.4%) 1.004s (-1.7%) 0.420s 60 2.51x
💻 Local Next.js (Turbopack) ⚠️ missing - - - -
workflow with 25 concurrent data payload steps (10KB)

💻 Local Development

World Framework Workflow Time Wall Time Overhead Samples vs Fastest
🐘 Postgres 🥇 Express 0.377s (-26.0% 🟢) 1.006s (~) 0.629s 90 1.00x
🐘 Postgres Nitro 0.486s (-2.1%) 1.007s (~) 0.520s 90 1.29x
🐘 Postgres Next.js (Turbopack) 0.489s 1.007s 0.519s 90 1.30x
💻 Local Express 2.370s (-5.7% 🟢) 3.009s (~) 0.639s 30 6.28x
💻 Local Nitro 2.483s (-2.2%) 3.008s (~) 0.525s 30 6.58x
💻 Local Next.js (Turbopack) ⚠️ missing - - - -
workflow with 50 concurrent data payload steps (10KB)

💻 Local Development

World Framework Workflow Time Wall Time Overhead Samples vs Fastest
🐘 Postgres 🥇 Express 0.584s (-28.7% 🟢) 1.007s (-1.0%) 0.423s 120 1.00x
🐘 Postgres Next.js (Turbopack) 0.761s 1.015s 0.254s 119 1.30x
🐘 Postgres Nitro 0.783s (-1.0%) 1.007s (~) 0.225s 120 1.34x
💻 Local Express 10.409s (-7.0% 🟢) 11.029s (-7.6% 🟢) 0.620s 11 17.82x
💻 Local Nitro 10.703s (-4.4%) 11.116s (-4.7%) 0.412s 11 18.32x
💻 Local Next.js (Turbopack) ⚠️ missing - - - -
Stream Benchmarks (includes TTFB metrics)
workflow with stream

💻 Local Development

World Framework Workflow Time TTFB Slurp Wall Time Overhead Samples vs Fastest
💻 Local 🥇 Nitro 0.149s (-30.4% 🟢) 1.005s (~) 0.011s (-12.8% 🟢) 1.017s (~) 0.869s 10 1.00x
🐘 Postgres Express 0.156s (-24.0% 🟢) 0.999s (~) 0.001s (-18.8% 🟢) 1.010s (~) 0.854s 10 1.05x
🐘 Postgres Next.js (Turbopack) 0.184s 1.001s 0.001s 1.010s 0.825s 10 1.24x
🐘 Postgres Nitro 0.208s (+1.5%) 0.990s (-1.0%) 0.002s (+6.7% 🔺) 1.010s (~) 0.802s 10 1.40x
💻 Local Express 0.210s (+5.4% 🔺) 1.004s (~) 0.010s (-19.0% 🟢) 1.016s (~) 0.806s 10 1.41x
💻 Local Next.js (Turbopack) ⚠️ missing - - - - -
stream pipeline with 5 transform steps (1MB)

💻 Local Development

World Framework Workflow Time TTFB Slurp Wall Time Overhead Samples vs Fastest
🐘 Postgres 🥇 Express 0.507s (-19.5% 🟢) 1.005s (~) 0.004s (-3.1%) 1.020s (~) 0.513s 59 1.00x
🐘 Postgres Next.js (Turbopack) 0.605s 1.008s 0.004s 1.022s 0.418s 59 1.19x
💻 Local Nitro 0.607s (-27.6% 🟢) 1.013s (~) 0.009s (+1.3%) 1.024s (-8.2% 🟢) 0.416s 59 1.20x
🐘 Postgres Nitro 0.621s (-0.5%) 1.040s (+3.3%) 0.004s (-5.8% 🟢) 1.056s (+3.3%) 0.435s 57 1.22x
💻 Local Express 0.852s (+12.5% 🔺) 1.013s (-1.6%) 0.009s (-5.0%) 1.116s (+7.3% 🔺) 0.264s 54 1.68x
💻 Local Next.js (Turbopack) ⚠️ missing - - - - -
10 parallel streams (1MB each)

💻 Local Development

World Framework Workflow Time TTFB Slurp Wall Time Overhead Samples vs Fastest
🐘 Postgres 🥇 Express 0.911s (-5.2% 🟢) 1.090s (-14.7% 🟢) 0.000s (-100.0% 🟢) 1.098s (-15.9% 🟢) 0.188s 55 1.00x
🐘 Postgres Next.js (Turbopack) 0.913s 1.091s 0.000s 1.101s 0.188s 55 1.00x
🐘 Postgres Nitro 0.946s (-2.3%) 1.123s (-10.0% 🟢) 0.000s (-9.4% 🟢) 1.139s (-9.4% 🟢) 0.193s 53 1.04x
💻 Local Express 1.196s (-2.3%) 2.019s (~) 0.000s (-30.0% 🟢) 2.021s (~) 0.824s 30 1.31x
💻 Local Nitro 1.218s (~) 2.020s (~) 0.000s (+300.0% 🔺) 2.022s (~) 0.805s 30 1.34x
💻 Local Next.js (Turbopack) ⚠️ missing - - - - -
fan-out fan-in 10 streams (1MB each)

💻 Local Development

World Framework Workflow Time TTFB Slurp Wall Time Overhead Samples vs Fastest
🐘 Postgres 🥇 Nitro 1.712s (-4.4%) 2.063s (-3.7%) 0.000s (-100.0% 🟢) 2.087s (-4.0%) 0.375s 29 1.00x
🐘 Postgres Express 1.714s (-3.3%) 2.139s (-1.8%) 0.000s (+Infinity% 🔺) 2.147s (-2.4%) 0.432s 29 1.00x
🐘 Postgres Next.js (Turbopack) 1.765s 2.107s 0.000s 2.113s 0.348s 29 1.03x
💻 Local Express 3.478s (~) 4.100s (+1.6%) 0.000s (-91.7% 🟢) 4.102s (+1.6%) 0.625s 15 2.03x
💻 Local Nitro 3.695s (+9.1% 🔺) 4.167s (+3.3%) 0.001s (+62.5% 🔺) 4.171s (+3.3%) 0.476s 15 2.16x
💻 Local Next.js (Turbopack) ⚠️ missing - - - - -

Summary

Fastest Framework by World

Winner determined by most benchmark wins

World 🥇 Fastest Framework Wins
💻 Local Nitro 13/21
🐘 Postgres Express 20/21
Fastest World by Framework

Winner determined by most benchmark wins

Framework 🥇 Fastest World Wins
Express 🐘 Postgres 20/21
Next.js (Turbopack) 🐘 Postgres 21/21
Nitro 🐘 Postgres 14/21
Column Definitions
  • Workflow Time: Runtime reported by workflow (completedAt - createdAt) - primary metric
  • TTFB: Time to First Byte - time from workflow start until first stream byte received (stream benchmarks only)
  • Slurp: Time from first byte to complete stream consumption (stream benchmarks only)
  • Wall Time: Total testbench time (trigger workflow + poll for result)
  • Overhead: Testbench overhead (Wall Time - Workflow Time)
  • Samples: Number of benchmark iterations run
  • vs Fastest: How much slower compared to the fastest configuration for this benchmark

Worlds:

  • 💻 Local: In-memory filesystem world (local development)
  • 🐘 Postgres: PostgreSQL database world (local development)
  • ▲ Vercel: Vercel production/preview deployment
  • 🌐 Turso: Community world (local development)
  • 🌐 MongoDB: Community world (local development)
  • 🌐 Redis: Community world (local development)
  • 🌐 Jazz: Community world (local development)

📋 View full workflow run

Some benchmark jobs failed:

  • Local: failure
  • Postgres: success
  • Vercel: failure

Check the workflow run for details.

Copilot AI reviewed Apr 22, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Removes an attacker-controlled setup-command field from the community-world CI matrix/workflows to prevent command injection via eval in reusable workflows.

Changes:

  • Drop setup-command from create-community-worlds-matrix.mjs output and stop forwarding it from tests.yml / benchmarks.yml.
  • Remove setup-command input from reusable workflows and replace eval with a hardcoded per-world-id setup case (currently only turso).
  • Add an (empty) changeset entry for the CI-only change.

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 2 comments.

Show a summary per file
File Description
scripts/create-community-worlds-matrix.mjs Removes setup-command from generated matrix JSON.
.github/workflows/tests.yml Stops passing matrix.world.setup-command into the reusable E2E workflow.
.github/workflows/e2e-community-world.yml Removes setup-command input and replaces eval with a world-id case statement.
.github/workflows/benchmarks.yml Stops passing matrix.world.setup-command into the reusable benchmark workflow.
.github/workflows/benchmark-community-world.yml Removes setup-command input and replaces eval with a world-id case statement.
.changeset/drop-setup-command-input.md Adds an empty changeset file to document the CI change.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread .github/workflows/e2e-community-world.yml
Comment on lines +110 to 113
# Per-world setup. Hardcoded (not taken from the matrix) so a malicious
# fork PR cannot smuggle arbitrary shell through matrix.world.setup-command.
- name: Run setup command
if: ${{ inputs.setup-command != '' }}
env:
Copy link

Copilot AI Apr 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The step name still implies an arbitrary command is executed, but the logic is now a fixed per-world switch. Consider renaming this step (e.g., "Per-world setup") and optionally adding an if so it only runs when the world actually needs setup, to reduce log noise for the common case.

Copilot uses AI. Check for mistakes.
Copy link
Copy Markdown
Contributor Author

@pranaygp pranaygp Apr 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Renamed to 'Per-world setup' in 9cf6b2b. Skipping the optional if-guard since the default case just echoes and the per-world-id list already lives in one place (the case statement itself).

Comment thread .github/workflows/benchmark-community-world.yml
Comment on lines +114 to 117
# Per-world setup. Hardcoded (not taken from the matrix) so a malicious
# fork PR cannot smuggle arbitrary shell through matrix.world.setup-command.
- name: Run setup command
if: ${{ inputs.setup-command != '' }}
env:
Copy link

Copilot AI Apr 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The step name still implies an arbitrary command is executed, but the logic is now a fixed per-world switch. Consider renaming this step (e.g., "Per-world setup") and optionally adding an if so it only runs when the world actually needs setup, to reduce log noise for the common case.

Copilot uses AI. Check for mistakes.
Copy link
Copy Markdown
Contributor Author

@pranaygp pranaygp Apr 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Renamed to 'Per-world setup' in 9cf6b2b. Skipping the optional if-guard since the default case just echoes and the per-world-id list already lives in one place (the case statement itself).

@pranaygp
rename step to "Per-world setup"
9cf6b2b 
Addresses Copilot review feedback: the step no longer executes an
arbitrary command, so the old name was misleading.
karthikscale3
karthikscale3 approved these changes Apr 22, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@karthikscale3 karthikscale3 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@pranaygp pranaygp added the backport-stable Cherry-pick this PR to the stable branch when merged label Apr 22, 2026
@pranaygp pranaygp enabled auto-merge (squash) April 23, 2026 01:12
@pranaygp pranaygp disabled auto-merge April 23, 2026 01:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@karthikscale3 karthikscale3 karthikscale3 approved these changes

@TooTallNate TooTallNate Awaiting requested review from TooTallNate

@VaguelySerious VaguelySerious Awaiting requested review from VaguelySerious

Assignees

No one assigned

Labels

backport-stable Cherry-pick this PR to the stable branch when merged

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@pranaygp @karthikscale3