End-to-end PR Comment #34
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Add end to end test summary as a PR comment. This needs to be run in a separate | |
| # workflow to allow permissions to add comments to PRs without elevating permissions | |
| # of the build. This is a modified version of recommendations found here: | |
| # https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ | |
| # | |
| # IMPORTANT: Nothing should be added to this workflow that can potentially run | |
| # untrusted code from unmerged forked repo PRs. The `workflow_run` event will | |
| # only run on our main branch vs other events such as `pull_request_target` that | |
| # runs unmerged PR code with elevated permissions. | |
| name: End-to-end PR Comment | |
| # read-write repo token | |
| # access to secrets | |
| on: | |
| workflow_run: | |
| workflows: ['Orchestrator'] | |
| types: | |
| - completed | |
| jobs: | |
| upload: | |
| runs-on: ubuntu-latest | |
| if: > | |
| github.event.workflow_run.event == 'pull_request' | |
| steps: | |
| - name: 'Download artifact' | |
| uses: actions/github-script@v7 | |
| with: | |
| script: | | |
| const artifacts = await github.rest.actions.listWorkflowRunArtifacts({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| run_id: ${{github.event.workflow_run.id }}, | |
| }); | |
| const fs = require('fs'); | |
| const names = ['pr-comment', 'pr-comment-unit']; | |
| for (const artifact of artifacts.data.artifacts) { | |
| if (!names.includes(artifact.name)) { | |
| continue; | |
| } | |
| const download = await github.rest.actions.downloadArtifact({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| artifact_id: artifact.id, | |
| archive_format: 'zip', | |
| }); | |
| fs.writeFileSync(`${{github.workspace}}/${artifact.name}.zip`, Buffer.from(download.data)); | |
| } | |
| - run: | | |
| unzip pr-comment.zip -d pr-comment | |
| unzip pr-comment-unit.zip -d pr-comment-unit | |
| - name: 'Comment on PR' | |
| uses: actions/github-script@v7 | |
| with: | |
| github-token: ${{ secrets.GITHUB_TOKEN }} | |
| script: | | |
| const fs = require('fs'); | |
| const prNumber = Number(fs.readFileSync('./pr-comment/PR-number.txt')); | |
| const comments = await github.rest.issues.listComments({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| issue_number: prNumber, | |
| }) | |
| for (const dirName of ['pr-comment', 'pr-comment-unit']) { | |
| // Append a marker to the summary content to identify the comment for later updates | |
| const marker = `<!-- DH GH Action Comment (${dirName}) -->`; | |
| const prComment = String(fs.readFileSync(`./${dirName}/pr-comment.html`)); | |
| const contentWithMarker = `${marker}\n${prComment}`; | |
| const existingComment = comments.data.find(comment => comment.body.startsWith(marker)); | |
| if (existingComment) { | |
| await github.rest.issues.updateComment({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| comment_id: existingComment.id, | |
| body: contentWithMarker, | |
| }); | |
| } | |
| else { | |
| await github.rest.issues.createComment({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| issue_number: prNumber, | |
| body: contentWithMarker, | |
| }); | |
| } | |
| } |