fly316/PX4-Autopilot
7
0
Fork 0
mirror of https://gitee.com/mirrors_PX4/PX4-Autopilot.git synced 2026-04-14 10:07:39 +08:00
Code Issues Packages Projects Releases Wiki Activity
PX4-Autopilot/.github/workflows/pr-comment-poster.yml
Ramon Roche a0e42f2032 ci(workflows): bump all action versions to latest majors 
Bump every GitHub Action in the repository to its latest major
version, addressing the upcoming Node.js 20 deprecation. Several
of the old versions (checkout v4, cache v4, setup-node v4,
labeler v5) use the Node 20 runtime which GitHub is deprecating.
The new versions use Node 22.

- actions/checkout v4/v5 to v6
- actions/upload-artifact v4 to v7
- actions/download-artifact v4 to v8
- actions/cache, cache/restore, cache/save v4 to v5
- actions/setup-node v4 to v6
- actions/setup-python v5 to v6
- actions/github-script v7/v8 to v9
- actions/labeler v5 to v6
- peter-evans/find-comment v3 to v4
- dorny/paths-filter v3 to v4
- codecov/codecov-action v4 to v6
- docker/setup-buildx-action v3 to v4
- docker/build-push-action v6 to v7
- tj-actions/changed-files v46 to v47

Signed-off-by: Ramon Roche <mrpollo@gmail.com>
2026-04-10 07:30:50 -06:00

156 lines
6.9 KiB
YAML
Raw Permalink Blame History

name: PR Comment Poster
# Generic PR comment poster. Any analysis workflow (clang-tidy, flash_analysis,
# fuzz coverage, SITL perf, etc.) can produce a `pr-comment` artifact and this
# workflow will post or update a sticky PR comment with its contents. Designed
# so that analysis jobs running on untrusted fork PRs can still get their
# results posted back to the PR.
#
# ==============================================================================
# SECURITY INVARIANTS
# ==============================================================================
# This workflow runs on `workflow_run` which means it runs in the BASE REPO
# context with a WRITE token, even when the triggering PR comes from a fork.
# That is the entire reason it exists, and also the reason it is a loaded
# footgun. Anyone modifying this file MUST preserve the following invariants:
#
# 1. NEVER check out PR code. No `actions/checkout` with a ref. No git clone
# of a fork branch. No execution of scripts from the downloaded artifact.
# The ONLY things read from the artifact are `manifest.json` and `body.md`,
# and both are treated as opaque data (JSON parsed by the poster script
# and markdown posted verbatim via the GitHub API).
#
# 2. `pr_number` is validated to be a positive integer before use.
# `marker` is validated to be printable ASCII only before use. Validation
# happens inside Tools/ci/pr-comment-poster.py which is checked out from
# the base branch, not from the artifact.
#
# 3. The comment body is passed to the GitHub API as a JSON field, never
# interpolated into a shell command string.
#
# 4. This workflow file lives on the default branch. `workflow_run` only
# loads workflow files from the default branch, so a fork cannot modify
# THIS file as part of a PR. The fork CAN cause this workflow to fire
# by triggering a producer workflow that uploads a `pr-comment` artifact.
# That is intended.
#
# 5. The artifact-name filter (`pr-comment`) is the only gate on which
# workflow runs get processed. Any workflow in this repo that uploads
# an artifact named `pr-comment` is trusted to have written the
# manifest and body itself, NOT copied fork-controlled content into
# them. Producer workflows are responsible for that.
#
# 6. `actions/checkout@v6` below uses NO ref (so it pulls the base branch,
# the default-branch commit this workflow file was loaded from) AND uses
# sparse-checkout to materialize ONLY Tools/ci/pr-comment-poster.py and
# its stdlib-only helper module Tools/ci/_github_helpers.py. The rest of
# the repo never touches the workspace. This is safe: the only files the
# job executes are base-repo Python scripts that were reviewed through
# normal code review, never anything from the PR.
#
# ==============================================================================
# ARTIFACT CONTRACT
# ==============================================================================
# Producers upload an artifact named exactly `pr-comment` containing:
#
# manifest.json:
# {
# "pr_number": 12345, // required, int > 0
# "marker": "<!-- pr-comment-poster:flash-analysis -->", // required, printable ASCII
# "mode": "upsert" // optional, default "upsert"
# }
#
# body.md: the markdown content of the comment. Posted verbatim.
#
# The `marker` string is used to find an existing comment to update. It MUST
# be unique per producer (e.g. include the producer name). If no existing
# comment contains the marker, a new one is created. If the marker is found
# in an existing comment, that comment is edited in place.
#
# Producers MUST write `pr_number` from their own workflow context
# (`github.event.pull_request.number`) and MUST NOT read it from any
# fork-controlled source.
on:
workflow_run:
# Producers that may upload a `pr-comment` artifact. When a new producer
# is wired up, add its workflow name here. Runs of workflows not in this
# list will never trigger the poster. Every run of a listed workflow will
# trigger the poster, which will no-op if no `pr-comment` artifact exists.
workflows:
- "FLASH usage analysis"
- "Docs - Orchestrator"
types:
- completed
permissions:
pull-requests: write
actions: read
contents: read
jobs:
post:
name: Post PR Comment
runs-on: ubuntu-latest
# Only run for pull_request producer runs. Push-to-main and other
# non-PR triggers would have no comment to post, and silently no-oping
# inside the script made it look like the poster was broken. Gating at
# the job level surfaces those as a clean "Skipped" in the UI instead.
if: >-
github.event.workflow_run.conclusion != 'cancelled'
&& github.event.workflow_run.event == 'pull_request'
steps:
# Checkout runs first so the poster script is available AND so that
# actions/checkout@v6's default clean step does not delete the artifact
# zip that the next step writes into the workspace. Sparse-checkout
# restricts the materialized tree to just the poster script.
- name: Checkout poster script only
uses: actions/checkout@v6
with:
sparse-checkout: |
Tools/ci/pr-comment-poster.py
Tools/ci/_github_helpers.py
sparse-checkout-cone-mode: false
- name: Download pr-comment artifact
id: download
uses: actions/github-script@v9
with:
script: |
const artifacts = await github.rest.actions.listWorkflowRunArtifacts({
owner: context.repo.owner,
repo: context.repo.repo,
run_id: context.payload.workflow_run.id,
});
const match = artifacts.data.artifacts.find(a => a.name === 'pr-comment');
if (!match) {
core.info('No pr-comment artifact on this run; nothing to post.');
core.setOutput('found', 'false');
return;
}
const download = await github.rest.actions.downloadArtifact({
owner: context.repo.owner,
repo: context.repo.repo,
artifact_id: match.id,
archive_format: 'zip',
});
const fs = require('fs');
fs.writeFileSync('pr-comment.zip', Buffer.from(download.data));
core.setOutput('found', 'true');
- name: Unpack artifact
if: steps.download.outputs.found == 'true'
run: |
mkdir -p pr-comment
unzip -q pr-comment.zip -d pr-comment
- name: Validate artifact
if: steps.download.outputs.found == 'true'
run: python3 Tools/ci/pr-comment-poster.py validate pr-comment
- name: Upsert sticky comment
if: steps.download.outputs.found == 'true'
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: python3 Tools/ci/pr-comment-poster.py post pr-comment
Reference in New Issue View Git Blame Copy Permalink