End-to-end PR Comment #56
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Add end to end test summary as a PR comment. This needs to be run in a separate | |
| # workflow to allow permissions to add comments to PRs without elevating permissions | |
| # of the build. This is a modified version of recommendations found here: | |
| # https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ | |
| # | |
| # IMPORTANT: Nothing should be added to this workflow that can potentially run | |
| # untrusted code from unmerged forked repo PRs. The `workflow_run` event will | |
| # only run on our main branch vs other events such as `pull_request_target` that | |
| # runs unmerged PR code with elevated permissions. | |
| name: End-to-end PR Comment | |
| # read-write repo token | |
| # access to secrets | |
| on: | |
| workflow_run: | |
| workflows: ['Orchestrator'] | |
| types: | |
| - completed | |
| jobs: | |
| upload: | |
| runs-on: ubuntu-latest | |
| if: > | |
| github.event.workflow_run.event == 'pull_request' | |
| steps: | |
| - name: 'Download artifacts' | |
| uses: actions/github-script@v7 | |
| with: | |
| script: | | |
| const artifacts = await github.rest.actions.listWorkflowRunArtifacts({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| run_id: ${{github.event.workflow_run.id }}, | |
| }); | |
| const fs = require('fs'); | |
| const names = ['pr-comment', 'pr-comment-unit']; | |
| for (const artifact of artifacts.data.artifacts) { | |
| if (!names.includes(artifact.name)) { | |
| continue; | |
| } | |
| const download = await github.rest.actions.downloadArtifact({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| artifact_id: artifact.id, | |
| archive_format: 'zip', | |
| }); | |
| fs.writeFileSync(`${{github.workspace}}/${artifact.name}.zip`, Buffer.from(download.data)); | |
| } | |
| - name: Unzip artifacts and store PR number | |
| run: | | |
| unzip pr-comment.zip -d pr-comment | |
| unzip pr-comment-unit.zip -d pr-comment-unit | |
| PR_NUMBER=$(cat ./pr-comment/PR-number.txt) | |
| echo "PR_NUMBER=$PR_NUMBER" >> $GITHUB_ENV | |
| - name: 'Comment on PR - e2e Tests' | |
| uses: marocchino/sticky-pull-request-comment@331f8f5b4215f0445d3c07b4967662a32a2d3e31 | |
| with: | |
| number: ${{ env.PR_NUMBER }} | |
| header: pr-title-e2e-summary | |
| path: pr-comment/pr-comment.html | |
| - name: 'Comment on PR - Unit Tests' | |
| uses: marocchino/sticky-pull-request-comment@331f8f5b4215f0445d3c07b4967662a32a2d3e31 | |
| with: | |
| number: ${{ env.PR_NUMBER }} | |
| header: pr-title-unit-summary | |
| path: pr-comment-unit/pr-comment.html |