Skip to content

Post rollouts to PR #133

Post rollouts to PR

Post rollouts to PR #133

Workflow file for this run

---
name: Post rollouts to PR
on:
workflow_run:
workflows: ["Print rollouts"]
types:
- completed
permissions:
pull-requests: write
# Privileged second part of print-rollouts.yml. Architecture and code from
# https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
jobs:
post-rollouts:
name: Post rollouts to PR
runs-on: ubuntu-latest
if: ${{ github.event.workflow_run.event == 'pull_request' && github.event.workflow_run.conclusion == 'success' }}
steps:
- name: Download state
uses: actions/github-script@v6
with:
script: |
var artifacts = await github.rest.actions.listWorkflowRunArtifacts({
owner: context.repo.owner,
repo: context.repo.repo,
run_id: ${{github.event.workflow_run.id}},
});
var matchArtifact = artifacts.data.artifacts.filter((artifact) => {
return artifact.name == "validation-results"
})[0];
var download = await github.rest.actions.downloadArtifact({
owner: context.repo.owner,
repo: context.repo.repo,
artifact_id: matchArtifact.id,
archive_format: 'zip',
});
var fs = require('fs');
fs.writeFileSync('${{github.workspace}}/validation-results.zip', Buffer.from(download.data));
- name: Unpack state
run: |
set -euo pipefail
mkdir validation-results
cd validation-results
unzip ../validation-results.zip
- name: Comment on PR
uses: actions/github-script@v6
with:
script: |
var fs = require('fs');
var pr_number = Number(fs.readFileSync('validation-results/PR'));
var rollouts = fs.readFileSync('validation-results/rollouts');
await github.rest.issues.createComment({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: pr_number,
body: '```\n' + rollouts + '```'
});