Use pull_request + workflow_run instead of pull_request_target

2026-04-28 18:25:24 +02:00 · 2021-10-28 18:20:46 +02:00
parent 3fb0139430
commit a0903c377d
2 changed files with 43 additions and 18 deletions
--- a/.github/workflows/post-pr-comment.yml
+++ b/.github/workflows/post-pr-comment.yml
@@ -0,0 +1,31 @@
+name: Post pull-request comment
+on:
+  workflow_run:
+    workflows: ["Query help preview"]
+    types:
+      - completed
+
+permissions:
+  pull-requests: write
+
+jobs:
+  post_comment:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Download artifact
+        uses: dawidd6/action-download-artifact@af92a8455a59214b7b932932f2662fdefbd78126
+        with:
+          workflow: ${{ github.event.workflow_run.workflow_id }}
+          workflow_conclusion: success
+          name: comment
+      - run: |
+          PR=$(grep -o '^[0-9]\+$' pr.txt)
+          PR_HEAD_SHA=$(gh api "/repos/${{ github.repository }}/pulls/${PR}" --jq .head.sha)
+          # Check that the pull-request head SHA matches the head SHA of the workflow run
+          if [ "${WORKFLOW_RUN_HEAD_SHA}" != "${PR_HEAD_SHA}" ]; then
+            exit 1
+          fi
+          cat comment.txt | gh pr comment "${PR}" --repo "${{ github.repository }}" -F -
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
+          WORKFLOW_RUN_HEAD_SHA: ${{ github.event.workflow_run.head_commit.id }}
--- a/.github/workflows/qhelp-pr-preview.yml
+++ b/.github/workflows/qhelp-pr-preview.yml
@@ -4,7 +4,7 @@ permissions:
  contents: read

 on:
-  pull_request_target:
+  pull_request:
    branches:
      - main
      - "rc/*"
@@ -17,10 +17,16 @@ jobs:
      contents: read
    runs-on: ubuntu-latest
    steps:
+      - run: echo "${{  github.event.number }}" > pr.txt
+      - uses: actions/upload-artifact@v2
+        with:
+          name: comment
+          path: pr.txt
+          retention-days: 1
+
      - uses: github/codeql/.github/actions/fetch-codeql@main
      - uses: actions/checkout@v2
        with:
-          ref: refs/pull/${{ github.event.number }}/merge
          fetch-depth: 2
          persist-credentials: false

@@ -33,6 +39,7 @@ jobs:

      - name: QHelp preview
        run: |
+          echo "QHelp previews:" > comment.txt
          cat "${{ runner.temp }}/paths.txt" | while read path; do
            if [ ! -f "${path}" ]; then
               exit 1
@@ -41,23 +48,10 @@ jobs:
            echo
            codeql generate query-help --format=markdown -- "./${path}"
            echo "</details>"
-          done > comment.txt
+          done >> comment.txt

      - uses: actions/upload-artifact@v2
        with:
-          name: comment.txt
+          name: comment
          path: comment.txt
-
-  post_comment:
-    permissions:
-      pull-requests: write
-    runs-on: ubuntu-latest
-    needs: qhelp
-    steps:
-      - uses: actions/download-artifact@v2
-        with:
-          name: comment.txt
-      - run: |
-          (echo "QHelp previews:"; cat comment.txt) | gh pr comment "${{ github.event.pull_request.number }}" --repo "${{ github.repository }}" -F -
-        env:
-          GITHUB_TOKEN: ${{ github.token }}
+          retention-days: 1