Leave Comment #14
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Leave Comment | |
| on: | |
| workflow_run: # zizmor: ignore[dangerous-triggers] | |
| # While it's true (as reported by Zizmor) that many `workflow_run` | |
| # workflows are unsafe, we are using it purely to paste a code comment | |
| # on a pull request. If an attacker were to attempt to modify the _only_ | |
| # file of data we collect from their unsafe code, the worst they could do | |
| # is leave a comment on their own PR, which has no harmful impact | |
| # whatsover. | |
| # | |
| # Any Workflow that uploads a `pr-comment` artifact should be listed here | |
| workflows: ['Build', 'Lighthouse'] | |
| types: [completed] | |
| permissions: | |
| contents: read | |
| actions: read | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.event.workflow_run.id }} | |
| cancel-in-progress: true | |
| jobs: | |
| leave-comment: | |
| name: Leave Comment | |
| runs-on: ubuntu-latest | |
| permissions: | |
| pull-requests: write | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 | |
| with: | |
| egress-policy: audit | |
| - name: Download Comment Artifact | |
| # The Workflow may not have produced a comment (e.g. the comparison was skipped), so this is | |
| # allowed to fail and every subsequent step is gated on it having succeeded. | |
| id: download | |
| continue-on-error: true | |
| uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 | |
| with: | |
| name: pr-comment | |
| path: pr-comment | |
| run-id: ${{ github.event.workflow_run.id }} | |
| github-token: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Resolve Pull Request Number | |
| id: pr | |
| if: steps.download.outcome == 'success' | |
| uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 | |
| with: | |
| script: | | |
| const run = context.payload.workflow_run; | |
| // 1. For same-repo Pull Requests the run is already linked to its PR(s). | |
| if (run.pull_requests && run.pull_requests.length) { | |
| core.setOutput('number', run.pull_requests[0].number); | |
| return; | |
| } | |
| // 2. For forks that list is empty, so find the open Pull Request who has the | |
| // correct branch information | |
| const match = await github.rest.pulls.list({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| state: 'open', | |
| head: `${context.payload.workflow_run.head_repository.owner.login}:${context.payload.workflow_run.head_branch}`, | |
| sort: 'updated', | |
| direction: 'desc', | |
| per_page: 1, | |
| }).then(r => r.data[0]); | |
| if (!match) { | |
| core.info(`No open pull request found for HEAD ${run.head_sha}`); | |
| return; | |
| } | |
| core.setOutput('number', match.number); | |
| - name: Read Comment Tag | |
| id: meta | |
| if: steps.download.outcome == 'success' | |
| run: | | |
| tag="$(tr -cd 'A-Za-z0-9_-' < pr-comment/tag.txt)" | |
| echo "tag=$tag" >> "$GITHUB_OUTPUT" | |
| - name: Add Comment to PR | |
| # The comment body is untrusted markdown, so it is passed as a file (data) rather than | |
| # interpolated into an expression or shell command. | |
| if: steps.download.outcome == 'success' && steps.pr.outputs.number != '' | |
| uses: thollander/actions-comment-pull-request@e2c37e53a7d2227b61585343765f73a9ca57eda9 # v3.0.0 | |
| with: | |
| file-path: pr-comment/comment.md | |
| comment-tag: ${{ steps.meta.outputs.tag }} | |
| pr-number: ${{ steps.pr.outputs.number }} |