From 2cd21a87318e6dd0500cba8642f34cc12977918e Mon Sep 17 00:00:00 2001 From: Chuck Daniels Date: Fri, 27 Sep 2024 10:19:53 -0400 Subject: [PATCH] Add PR comment when integration tests fail Fixes #824 --- .github/workflows/integration-test-review.yml | 52 +++++++++++++++++++ 1 file changed, 52 insertions(+) create mode 100644 .github/workflows/integration-test-review.yml diff --git a/.github/workflows/integration-test-review.yml b/.github/workflows/integration-test-review.yml new file mode 100644 index 00000000..b9cefb9c --- /dev/null +++ b/.github/workflows/integration-test-review.yml @@ -0,0 +1,52 @@ +name: Integration Tests PR Comment + +on: + workflow_run: + workflows: [Integration Tests] + types: [completed] + +jobs: + integration-tests-pr-comment: + runs-on: ubuntu-latest + if: > + github.event.workflow_run.event == 'pull_request_target' && + github.event.workflow_run.conclusion == 'failure' + steps: + - name: Fetch user permission + id: permission + uses: actions-cool/check-user-permission@v2 + with: + require: write + username: ${{ github.triggering_actor }} + + - name: Add PR comment when user does not have write permission + # The name of the output require-result is a bit confusing, but when its value + # is 'false', it means that the triggering actor does NOT have the required + # permission. + if: steps.permission.outputs.require-result == 'false' + + # If the triggering actor does not have write permission, then we want to add + # a PR comment indicating a security review is required because we know that + # the integration tests "failed" due to lack of permission (i.e., they were + # actually "aborted" without running any tests). + uses: actions/github-script@v7 + with: + script: | + const { number, html_url } = (await github.rest.repos.listPullRequestsAssociatedWithCommit({ + commit_sha: context.sha, + owner: "${{ github.event.workflow_run.head_repository.owner.login }}", + repo: "${{ github.event.workflow_run.head_repository.name }}", + })).data[0] ?? {}; + + if (number) { + github.rest.issues.createComment({ + issue_number: number, + owner: context.repo.owner, + repo: context.repo.repo, + body: "User [${{ github.triggering_actor }}](${{ github.event.workflow_run.head_repository.owner.html_url }})" + + " does not have permission to run integration tests. A maintainer must perform a security review of the" + + ` [code changes in this pull request](${html_url}/files) and re-run the` + + " [failed integration tests jobs](${{ github.event.workflow_run.html_url }})," + + " if the code is deemed safe.", + }); + }