Try to fix mypy_primer comment permissions (#5478)

Split the workflows again so the comment workflow has write access to the repository. Based on https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ Co-authored-by: Akuli <akuviljanen17@gmail.com>
2025-12-07 20:54:28 +08:00 · 2021-05-17 20:32:14 +02:00
parent 00fcc50d13
commit 51b7248154
2 changed files with 85 additions and 45 deletions
--- a/.github/workflows/mypy_primer.yml
+++ b/.github/workflows/mypy_primer.yml
@@ -57,50 +57,13 @@ jobs:
        with:
          name: mypy_primer_diffs
          path: diff_${{ matrix.shard-index }}.txt
-
-  comment:
-    name: Comment
-    runs-on: ubuntu-latest
-    needs: mypy_primer
-    permissions: write-all
-    steps:
-      - name: Download diffs
-        uses: actions/download-artifact@v2
+      - if: ${{ matrix.shard-index }} == 0
+        name: Save PR number
+        run: |
+          echo ${{ github.event.pull_request.number }} | tee pr_number.txt
+      - if: ${{ matrix.shard-index }} == 0
+        name: Upload PR number
+        uses: actions/upload-artifact@v2
        with:
          name: mypy_primer_diffs
-
-      - name: Post comment
-        uses: actions/github-script@v3
-        with:
-          github-token: ${{secrets.GITHUB_TOKEN}}
-          script: |
-            const fs = require('fs')
-            const data = (
-              ['diff_0.txt', 'diff_1.txt']
-              .map(fileName => fs.readFileSync(fileName, { encoding: 'utf8' }))
-              .join('')
-              .substr(0, 30000)  // About 300 lines
-            )
-
-            console.log("Diff from mypy_primer:")
-            console.log(data)
-
-            let body
-            if (data.trim()) {
-              body = 'Diff from [mypy_primer](https://github.com/hauntsaninja/mypy_primer), showing the effect of this PR on open source code:\n```diff\n' + data + '```'
-            } else {
-              body = 'According to [mypy_primer](https://github.com/hauntsaninja/mypy_primer), this change has no effect on the checked open source code. 🤖🎉'
-            }
-
-            await github.issues.createComment({
-              issue_number: context.issue.number,
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              body
-            })
-
-      - uses: kanga333/comment-hider@9141763feccc8da773595675adc567d6616b6e6f
-        name: Hide old comments
-        with:
-          github_token: ${{ secrets.GITHUB_TOKEN }}
-          leave_visible: 1
+          path: pr_number.txt
--- a/.github/workflows/mypy_primer_comment.yml
+++ b/.github/workflows/mypy_primer_comment.yml
@@ -0,0 +1,77 @@
+name: Post mypy_primer comment
+
+on:
+  workflow_run:
+    workflows:
+      - Run mypy_primer
+    types:
+      - completed
+
+permissions:
+  contents: read
+  pull-requests: write
+
+jobs:
+  comment:
+    name: Comment PR from mypy_primer
+    runs-on: ubuntu-latest
+    steps:
+      - name: Download diffs
+        uses: actions/github-script@v3
+        with:
+          script: |
+            const fs = require('fs');
+            const artifacts = await github.actions.listWorkflowRunArtifacts({
+               owner: context.repo.owner,
+               repo: context.repo.repo,
+               run_id: ${{ github.event.workflow_run.id }},
+            });
+            const [matchArtifact] = artifacts.data.artifacts.filter((artifact) =>
+              artifact.name == "mypy_primer_diffs");
+
+            const download = await github.actions.downloadArtifact({
+               owner: context.repo.owner,
+               repo: context.repo.repo,
+               artifact_id: matchArtifact.id,
+               archive_format: "zip",
+            });
+            fs.writeFileSync("diff.zip", Buffer.from(download.data));
+
+      - run: unzip diff.zip
+
+      - name: Post comment
+        uses: actions/github-script@v3
+        with:
+          github-token: ${{secrets.GITHUB_TOKEN}}
+          script: |
+            const fs = require('fs')
+            const data = (
+              ['diff_0.txt', 'diff_1.txt']
+              .map(fileName => fs.readFileSync(fileName, { encoding: 'utf8' }))
+              .join('')
+              .substr(0, 30000)  // About 300 lines
+            )
+
+            console.log("Diff from mypy_primer:")
+            console.log(data)
+
+            let body
+            if (data.trim()) {
+              body = 'Diff from [mypy_primer](https://github.com/hauntsaninja/mypy_primer), showing the effect of this PR on open source code:\n```diff\n' + data + '```'
+            } else {
+              body = 'According to [mypy_primer](https://github.com/hauntsaninja/mypy_primer), this change has no effect on the checked open source code. 🤖🎉'
+            }
+
+            await github.issues.createComment({
+              issue_number: fs.readFileSync("pr_number.txt", { encoding: "utf8" }),
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              body
+            })
+
+      # FIXME: comment hider doesn't work from this file
+#      - uses: kanga333/comment-hider@9141763feccc8da773595675adc567d6616b6e6f
+#        name: Hide old comments
+#        with:
+#          github_token: ${{ secrets.GITHUB_TOKEN }}
+#          leave_visible: 1