Comment on PR #22164
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Description: This workflow is triggered when the "Check" workflow completes. | |
| # Since this pull request has write permissions on the target repo, we should **NOT** execute any untrusted code. | |
| # https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ | |
| # Based on https://github.com/spring-projects/spring-security/pull/15477/files | |
| name: Comment on PR | |
| on: | |
| workflow_run: | |
| # note when updating via a PR and testing - `workflow_run` executes from the `main` branch and not the PR branch | |
| workflows: ["Source Code Tests", "On PR opened/updated", "Check PR Format", "Link PR to Issue", "Check PR Modifications", "Check PR CHANGELOG.md"] | |
| # https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#running-a-workflow-based-on-the-conclusion-of-another-workflow | |
| types: [completed] | |
| workflow_dispatch: | |
| inputs: | |
| pr_number: | |
| description: 'PR number' | |
| required: true | |
| workflow_run_id: | |
| description: 'Workflow run id' | |
| required: true | |
| jobs: | |
| comment: | |
| if: ${{ github.repository == 'JabRef/jabref' }} | |
| runs-on: ubuntu-latest | |
| permissions: | |
| actions: read | |
| contents: write | |
| pull-requests: write | |
| timeout-minutes: 10 | |
| steps: | |
| - name: Download PR number | |
| if: ${{ github.event_name != 'workflow_dispatch' }} | |
| uses: actions/download-artifact@v6 | |
| continue-on-error: true | |
| with: | |
| name: pr_number | |
| github-token: ${{ secrets.GITHUB_TOKEN }} | |
| run-id: ${{ github.event.workflow_run.id }} | |
| - name: Read pr_number.txt | |
| if: ${{ github.event_name != 'workflow_dispatch' }} | |
| id: read-pr_number | |
| run: | | |
| touch pr_number.txt | |
| PR_NUMBER=$(cat pr_number.txt) | |
| echo "Read PR number $PR_NUMBER" | |
| echo "pr_number=$PR_NUMBER" >> $GITHUB_OUTPUT | |
| - name: Checkout | |
| # required for gh tool and .github/ghprcomment.yml | |
| uses: actions/checkout@v5 | |
| with: | |
| show-progress: 'false' | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Is PR from forked? | |
| if: ${{ github.event_name != 'workflow_dispatch' && steps.read-pr_number.outputs.pr_number != '' }} | |
| id: isCrossRepository | |
| run: | | |
| isCrossRepository=$(gh pr view $pr_number --json isCrossRepository --jq '.isCrossRepository') | |
| echo "Got isCrossRepository $isCrossRepository" | |
| echo isCrossRepository=$isCrossRepository >> $GITHUB_OUTPUT | |
| env: | |
| GH_TOKEN: ${{ github.token }} | |
| pr_number: ${{ steps.read-pr_number.outputs.pr_number }} | |
| # Set a common variable for PR number and workflow_run_id from either event. | |
| - name: Set variables | |
| if: ${{ github.event_name == 'workflow_dispatch' || (steps.read-pr_number.outputs.pr_number != '' && steps.isCrossRepository.outputs.isCrossRepository == 'true') }} | |
| id: set-vars | |
| run: | | |
| if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then | |
| echo "pr_number=${{ github.event.inputs.pr_number }}" >> $GITHUB_OUTPUT | |
| echo "workflow_run_id=${{ github.event.inputs.workflow_run_id }}" >> $GITHUB_OUTPUT | |
| else | |
| echo "pr_number=${{ steps.read-pr_number.outputs.pr_number }}" >> $GITHUB_OUTPUT | |
| echo "workflow_run_id=${{ github.event.workflow_run.id }}" >> $GITHUB_OUTPUT | |
| fi | |
| - name: "Check if PR has 'dev: no-bot-comments' label" | |
| if: ${{ github.event_name == 'workflow_dispatch' || (steps.read-pr_number.outputs.pr_number != '' && steps.isCrossRepository.outputs.isCrossRepository == 'true') }} | |
| id: check-label | |
| run: | | |
| has_label=$(gh pr view "${{ steps.set-vars.outputs.pr_number }}" --json labels -q \ | |
| '.labels[].name' | grep -Fxq "dev: no-bot-comments" && echo "true" || echo "false") | |
| echo "has_label=$has_label" >> "$GITHUB_OUTPUT" | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| # This step runs in both cases using the proper variables. | |
| - name: ghprcomment@main | |
| if: ${{ github.event_name == 'workflow_dispatch' || (steps.check-label.outputs.has_label == 'false' && steps.read-pr_number.outputs.pr_number != '' && steps.isCrossRepository.outputs.isCrossRepository == 'true') }} | |
| uses: jbangdev/[email protected] | |
| with: | |
| script: https://github.com/koppor/ghprcomment/blob/main/ghprcomment.java | |
| scriptargs: "-r JabRef/jabref -p ${{ steps.set-vars.outputs.pr_number }} -w ${{ steps.set-vars.outputs.workflow_run_id }}" | |
| trust: https://github.com/koppor/ghprcomment/ | |
| env: | |
| GITHUB_OAUTH: ${{ secrets.GH_TOKEN_JABREF_MACHINE_PR_APPROVE }} |