From 54a03c883990f13031b005d4989dcbb2f38bd739 Mon Sep 17 00:00:00 2001
From: Robert <robertbrignull@github.com>
Date: Tue, 12 Dec 2023 16:39:23 +0000
Subject: [PATCH 1/2] Create issue when CLI tests fail on the default branch

---
 .github/workflows/cli-test.yml | 37 ++++++++++++++++++++++++++++++++++
 1 file changed, 37 insertions(+)

diff --git a/.github/workflows/cli-test.yml b/.github/workflows/cli-test.yml
index d158bfd53..9d0c52339 100644
--- a/.github/workflows/cli-test.yml
+++ b/.github/workflows/cli-test.yml
@@ -109,3 +109,40 @@ jobs:
         if: matrix.os == 'windows-latest'
         run: |
           npm run test:cli-integration
+
+  report-failure:
+    name: Report failure on the default branch
+    runs-on: ubuntu-latest
+    needs: [cli-test]
+    if: failure() && github.ref == 'refs/heads/main'
+    permissions:
+      issues: write
+    steps:
+      - name: Create GitHub issue
+        run: |
+          # Set -eu so that we fail if the gh command fails.
+          set -eu
+
+          # Try to find an existing open issue if there is one
+          ISSUE="$(gh issue list --repo "$GITHUB_REPOSITORY" --label "cli-test-failure" --state "open" --limit 1 --json number -q '.[0].number')"
+
+          if [[ -n "$ISSUE" ]]; then
+            echo "Found open issue number $ISSUE ($GITHUB_SERVER_URL/$GITHUB_REPOSITORY/issues/$ISSUE)"
+          else
+            echo "Did not find an open tracking issue. Creating one."
+
+            ISSUE_BODY="issue-body.md"
+            printf "CLI tests have failed on the default branch.\n\n@github/code-scanning-secexp-reviewers" > "$ISSUE_BODY"
+
+            ISSUE="$(gh issue create --repo "$GITHUB_REPOSITORY" --label "cli-test-failure" --title "CLI test failure" --body-file "$ISSUE_BODY")"
+            # `gh issue create` returns the full issue URL, not just the number.
+            echo "Created issue with URL $ISSUE"
+          fi
+
+          COMMENT_FILE="comment.md"
+          RUN_URL=$GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID
+          printf 'CLI test [%s](%s) failed on ref `%s`' "$RUN_ID" "$RUN_URL" "$RUN_REF" > "$COMMENT_FILE"
+
+          # `gh issue create` returns an issue URL, and `gh issue list | cut -f 1` returns an issue number.
+          # Both are accepted here.
+          gh issue comment "$ISSUE" --repo "$GITHUB_REPOSITORY" --body-file "$COMMENT_FILE"

From 2e51c1a657df989539509a643546f5a8831f19ac Mon Sep 17 00:00:00 2001
From: Robert <robertbrignull@github.com>
Date: Tue, 19 Dec 2023 16:19:59 +0000
Subject: [PATCH 2/2] Fix workflow after testing it

---
 .github/workflows/cli-test.yml | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/cli-test.yml b/.github/workflows/cli-test.yml
index 9d0c52339..afb9b01e0 100644
--- a/.github/workflows/cli-test.yml
+++ b/.github/workflows/cli-test.yml
@@ -116,7 +116,10 @@ jobs:
     needs: [cli-test]
     if: failure() && github.ref == 'refs/heads/main'
     permissions:
+      contents: read
       issues: write
+    env:
+      GH_TOKEN: ${{ github.token }}
     steps:
       - name: Create GitHub issue
         run: |
@@ -141,7 +144,7 @@ jobs:
 
           COMMENT_FILE="comment.md"
           RUN_URL=$GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID
-          printf 'CLI test [%s](%s) failed on ref `%s`' "$RUN_ID" "$RUN_URL" "$RUN_REF" > "$COMMENT_FILE"
+          printf 'CLI test [%s](%s) failed on ref `%s`' "$GITHUB_RUN_ID" "$RUN_URL" "$GITHUB_REF" > "$COMMENT_FILE"
 
           # `gh issue create` returns an issue URL, and `gh issue list | cut -f 1` returns an issue number.
           # Both are accepted here.