Integration Tests PR Comment #1146
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Integration Tests PR Comment | |
| on: | |
| workflow_run: | |
| workflows: [Integration Tests] | |
| types: [completed] | |
| jobs: | |
| integration-tests-pr-comment: | |
| runs-on: ubuntu-latest | |
| if: > | |
| github.event.workflow_run.event == 'pull_request_target' && | |
| github.event.workflow_run.conclusion == 'failure' | |
| steps: | |
| - name: Fetch user permission | |
| id: permission | |
| uses: actions-cool/check-user-permission@v2 | |
| with: | |
| require: write | |
| username: ${{ github.triggering_actor }} | |
| # The remaining steps are run only if the triggering actor (user) does NOT have | |
| # write permission for the repo, in which case, the purpose of the remaining | |
| # steps is to add a comment to the PR indicating that the actor (user) does | |
| # NOT have permissions to run integration tests, and thus a maintainer must | |
| # make sure the PR is "safe", and if so, re-run the "failed" integration tests | |
| # (because maintainers DO have the necessary write permission). | |
| - name: Download PR number artifact | |
| # The name of the output require-result is a bit confusing, but when its value | |
| # is 'false', it means that the triggering actor does NOT have the required | |
| # permission. | |
| if: ${{ !env.ACT && steps.permission.outputs.require-result == 'false' }} | |
| uses: actions/github-script@v8 | |
| with: | |
| # Download the PR artifact that was uploaded in integration-test.yml | |
| script: | | |
| const { owner, repo } = context.repo; | |
| const artifacts = await github.rest.actions.listWorkflowRunArtifacts({ | |
| owner, repo, run_id: context.payload.workflow_run.id, | |
| }); | |
| const prNumberArtifact = artifacts.data.artifacts.filter( | |
| (artifact) => artifact.name == "pr_number" | |
| )[0]; | |
| const download = await github.rest.actions.downloadArtifact({ | |
| owner, repo, artifact_id: prNumberArtifact.id, archive_format: 'zip', | |
| }); | |
| const fs = require('fs'); | |
| const path = require('path'); | |
| const temp = path.join('${{ runner.temp }}', 'artifacts'); | |
| if (!fs.existsSync(temp)) { | |
| fs.mkdirSync(temp); | |
| } | |
| fs.writeFileSync(path.join(temp, 'pr_number.zip'), Buffer.from(download.data)); | |
| - name: Unzip downloaded PR number artifact | |
| # The name of the output require-result is a bit confusing, but when its value | |
| # is 'false', it means that the triggering actor does NOT have the required | |
| # permission. | |
| if: ${{ !env.ACT && steps.permission.outputs.require-result == 'false' }} | |
| run: unzip "${{ runner.temp }}/artifacts/pr_number.zip" -d "${{ runner.temp }}/artifacts" | |
| - name: Add PR comment | |
| # The name of the output require-result is a bit confusing, but when its value | |
| # is 'false', it means that the triggering actor does NOT have the required | |
| # permission. | |
| if: ${{ !env.ACT && steps.permission.outputs.require-result == 'false' }} | |
| # If the triggering actor does not have write permission, then we want to add | |
| # a PR comment indicating a security review is required because we know that | |
| # the integration tests "failed" due to lack of permission (i.e., they were | |
| # actually "aborted" without running any tests). | |
| uses: actions/github-script@v8 | |
| with: | |
| github-token: ${{ secrets.GITHUB_TOKEN }} | |
| script: | | |
| const fs = require('fs'); | |
| const path = require('path'); | |
| const temp = path.join('${{ runner.temp }}', 'artifacts'); | |
| const { owner, repo } = context.repo; | |
| // Read the PR number from the downloaded and unzipped artifact. | |
| const pull_number = Number(fs.readFileSync(path.join(temp, 'pr_number'))); | |
| // Get the URL of the PR so we can add a link in the PR comment. | |
| const { data: { html_url } } = await github.rest.pulls.get({ owner, repo, pull_number }); | |
| github.rest.issues.createComment({ | |
| owner, | |
| repo, | |
| issue_number: pull_number, | |
| body: "User [${{ github.triggering_actor }}](${{ github.event.workflow_run.head_repository.owner.html_url }})" | |
| + " does not have permission to run integration tests. A maintainer must perform a security review of the" | |
| + ` [code changes in this pull request](${html_url}/files) and re-run the` | |
| + " [failed integration tests jobs](${{ github.event.workflow_run.html_url }})," | |
| + " if the code is deemed safe.", | |
| }); |