[llvm] [workflows] Split pr-code-format into two parts to make it more secure (PR #78216)
Tobias Hieta via llvm-commits
llvm-commits at lists.llvm.org
Mon Jan 15 23:24:02 PST 2024
================
@@ -0,0 +1,72 @@
+name: Comment on an issue
+
+on:
+ workflow_run:
+ workflows: ["Check code formatting"]
+ types:
+ - completed
+
+permissions:
+ contents: read
+
+jobs:
+ pr-comment:
+ runs-on: ubuntu-latest
+ permissions:
+ pull-requests: write
+ if: >
+ github.event.workflow_run.event == 'pull_request'
+ steps:
+ - name: 'Download artifact'
+ # v7.0.1
+ uses: actions/github-script at 60a0d83039c74a4aee543508d2ffcb1c3799cdea
+ with:
+ script: |
+ let allArtifacts = await github.rest.actions.listWorkflowRunArtifacts({
+ owner: context.repo.owner,
+ repo: context.repo.repo,
+ run_id: context.payload.workflow_run.id,
+ });
+ let matchArtifact = allArtifacts.data.artifacts.filter((artifact) => {
+ return artifact.name == "workflow-args"
+ })[0];
+ let download = await github.rest.actions.downloadArtifact({
+ owner: context.repo.owner,
+ repo: context.repo.repo,
+ artifact_id: matchArtifact.id,
+ archive_format: 'zip',
+ });
+ let fs = require('fs');
+ fs.writeFileSync(`${process.env.GITHUB_WORKSPACE}/workflow-args.zip`, Buffer.from(download.data));
+
+ - run: unzip workflow-args.zip
+
+ - name: 'Comment on PR'
+ uses: actions/github-script at v3
+ with:
+ github-token: ${{ secrets.GITHUB_TOKEN }}
+ script: |
+ var fs = require('fs');
+ const comments = JSON.parse(fs.readFileSync('./comments'));
+ if (!comments) {
----------------
tru wrote:
should we handle errors from reading the json here and print the problems? so that we can debug that later if something goes wrong?
https://github.com/llvm/llvm-project/pull/78216
More information about the llvm-commits
mailing list