From 51b7248154ab6e71693d34712dc9e44b68d45829 Mon Sep 17 00:00:00 2001
From: Sebastian Rittau <srittau@rittau.biz>
Date: Mon, 17 May 2021 20:32:14 +0200
Subject: [PATCH] Try to fix mypy_primer comment permissions (#5478)

Split the workflows again so the comment workflow has write
access to the repository.

Based on https://securitylab.github.com/research/github-actions-preventing-pwn-requests/

Co-authored-by: Akuli <akuviljanen17@gmail.com>
---
 .github/workflows/mypy_primer.yml         | 53 +++-------------
 .github/workflows/mypy_primer_comment.yml | 77 +++++++++++++++++++++++
 2 files changed, 85 insertions(+), 45 deletions(-)
 create mode 100644 .github/workflows/mypy_primer_comment.yml

diff --git a/.github/workflows/mypy_primer.yml b/.github/workflows/mypy_primer.yml
index 0304c6d27..3910ebefa 100644
--- a/.github/workflows/mypy_primer.yml
+++ b/.github/workflows/mypy_primer.yml
@@ -57,50 +57,13 @@ jobs:
         with:
           name: mypy_primer_diffs
           path: diff_${{ matrix.shard-index }}.txt
-
-  comment:
-    name: Comment
-    runs-on: ubuntu-latest
-    needs: mypy_primer
-    permissions: write-all
-    steps:
-      - name: Download diffs
-        uses: actions/download-artifact@v2
+      - if: ${{ matrix.shard-index }} == 0
+        name: Save PR number
+        run: |
+          echo ${{ github.event.pull_request.number }} | tee pr_number.txt
+      - if: ${{ matrix.shard-index }} == 0
+        name: Upload PR number
+        uses: actions/upload-artifact@v2
         with:
           name: mypy_primer_diffs
-
-      - name: Post comment
-        uses: actions/github-script@v3
-        with:
-          github-token: ${{secrets.GITHUB_TOKEN}}
-          script: |
-            const fs = require('fs')
-            const data = (
-              ['diff_0.txt', 'diff_1.txt']
-              .map(fileName => fs.readFileSync(fileName, { encoding: 'utf8' }))
-              .join('')
-              .substr(0, 30000)  // About 300 lines
-            )
-
-            console.log("Diff from mypy_primer:")
-            console.log(data)
-
-            let body
-            if (data.trim()) {
-              body = 'Diff from [mypy_primer](https://github.com/hauntsaninja/mypy_primer), showing the effect of this PR on open source code:\n```diff\n' + data + '```'
-            } else {
-              body = 'According to [mypy_primer](https://github.com/hauntsaninja/mypy_primer), this change has no effect on the checked open source code. 🤖🎉'
-            }
-
-            await github.issues.createComment({
-              issue_number: context.issue.number,
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              body
-            })
-
-      - uses: kanga333/comment-hider@9141763feccc8da773595675adc567d6616b6e6f
-        name: Hide old comments
-        with:
-          github_token: ${{ secrets.GITHUB_TOKEN }}
-          leave_visible: 1
+          path: pr_number.txt
diff --git a/.github/workflows/mypy_primer_comment.yml b/.github/workflows/mypy_primer_comment.yml
new file mode 100644
index 000000000..846a1677f
--- /dev/null
+++ b/.github/workflows/mypy_primer_comment.yml
@@ -0,0 +1,77 @@
+name: Post mypy_primer comment
+
+on:
+  workflow_run:
+    workflows:
+      - Run mypy_primer
+    types:
+      - completed
+
+permissions:
+  contents: read
+  pull-requests: write
+
+jobs:
+  comment:
+    name: Comment PR from mypy_primer
+    runs-on: ubuntu-latest
+    steps:
+      - name: Download diffs
+        uses: actions/github-script@v3
+        with:
+          script: |
+            const fs = require('fs');
+            const artifacts = await github.actions.listWorkflowRunArtifacts({
+               owner: context.repo.owner,
+               repo: context.repo.repo,
+               run_id: ${{ github.event.workflow_run.id }},
+            });
+            const [matchArtifact] = artifacts.data.artifacts.filter((artifact) =>
+              artifact.name == "mypy_primer_diffs");
+
+            const download = await github.actions.downloadArtifact({
+               owner: context.repo.owner,
+               repo: context.repo.repo,
+               artifact_id: matchArtifact.id,
+               archive_format: "zip",
+            });
+            fs.writeFileSync("diff.zip", Buffer.from(download.data));
+
+      - run: unzip diff.zip
+
+      - name: Post comment
+        uses: actions/github-script@v3
+        with:
+          github-token: ${{secrets.GITHUB_TOKEN}}
+          script: |
+            const fs = require('fs')
+            const data = (
+              ['diff_0.txt', 'diff_1.txt']
+              .map(fileName => fs.readFileSync(fileName, { encoding: 'utf8' }))
+              .join('')
+              .substr(0, 30000)  // About 300 lines
+            )
+
+            console.log("Diff from mypy_primer:")
+            console.log(data)
+
+            let body
+            if (data.trim()) {
+              body = 'Diff from [mypy_primer](https://github.com/hauntsaninja/mypy_primer), showing the effect of this PR on open source code:\n```diff\n' + data + '```'
+            } else {
+              body = 'According to [mypy_primer](https://github.com/hauntsaninja/mypy_primer), this change has no effect on the checked open source code. 🤖🎉'
+            }
+
+            await github.issues.createComment({
+              issue_number: fs.readFileSync("pr_number.txt", { encoding: "utf8" }),
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              body
+            })
+
+      # FIXME: comment hider doesn't work from this file
+#      - uses: kanga333/comment-hider@9141763feccc8da773595675adc567d6616b6e6f
+#        name: Hide old comments
+#        with:
+#          github_token: ${{ secrets.GITHUB_TOKEN }}
+#          leave_visible: 1