ci: fix comment workflow for forks (#787)

yeisonvargasf · web-flow · commit f14b3b494cbc · 2025-09-03T14:04:46.000-05:00
diff --git a/.github/workflows/pr-comment.yml b/.github/workflows/pr-comment.yml
@@ -0,0 +1,96 @@
+name: PR Comment
+
+on:
+  workflow_run:
+    workflows: ["Pull Request"]
+    types: [completed]
+
+permissions:
+  issues: write
+  actions: read
+
+jobs:
+  comment:
+    if: >
+      ${{ github.event.workflow_run.event == 'pull_request' &&
+          github.event.workflow_run.conclusion == 'success' &&
+          (github.event.workflow_run.pull_requests && github.event.workflow_run.pull_requests[0]) }}
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Comment PR
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const run = context.payload.workflow_run
+            const pr = (run.pull_requests && run.pull_requests[0]) || null
+            if (!pr) {
+              core.info('No associated PR found; skipping comment.')
+              return
+            }
+
+            const runId = run.id
+            const artifactsUrl = `${context.serverUrl}/${context.repo.owner}/${context.repo.repo}/actions/runs/${runId}/`
+            const prNumber = pr.number
+            const author = pr.user?.login || run.actor?.login || 'unknown'
+            const forkRepo = (pr.head && pr.head.repo && pr.head.repo.full_name) ? pr.head.repo.full_name : `${author}:unknown-repo`
+            const diffUrl = `${context.serverUrl}/${context.repo.owner}/${context.repo.repo}/pull/${prNumber}/files`
+
+            const comment = `
+            ## 🚀 Build artifacts are ready for testing!
+
+            > Security notice: You are viewing pre-release CI artifacts from PR #${prNumber} by @${author} (source: ${forkRepo}). These commands may execute code on your machine. Do NOT run them unless you have reviewed the [PR diff](${diffUrl}) and trust the source. The snippets include a confirmation prompt.
+
+            Download the wheel file and binaries with gh CLI or from the [workflow artifacts](${artifactsUrl}).
+
+            ### 📦 Install & Run
+
+            #### Pre-requisites
+            \`\`\`bash
+            # Install uv if needed
+            curl -LsSf https://astral.sh/uv/install.sh | sh
+
+            # Create and enter artifacts directory
+            mkdir artifacts && cd artifacts
+            \`\`\`
+
+            #### Quick Test with Python Package
+            \`\`\`bash
+            bash -c 'set -euo pipefail; printf "\n%s\n\n" "WARNING: You are about to download and execute CI artifacts from PR #${prNumber} by @${author} (source: ${forkRepo}). Do NOT proceed unless you have reviewed the PR diff and trust the source."; printf "%s" "Type I understand to continue: "; read -r C; [ "$C" = "I understand" ] || { echo Aborted.; exit 1; }; gh run download ${runId} -n dist -R ${context.repo.owner}/${context.repo.repo}; uvx ./dist/safety-*-py3-none-any.whl --version'
+            \`\`\`
+
+            #### Run other Safety commands as follows
+            \`\`\`bash
+            uvx ./dist/safety-*-py3-none-any.whl auth status
+            uvx ./dist/safety-*-py3-none-any.whl auth login
+            uvx ./dist/safety-*-py3-none-any.whl scan
+            \`\`\`
+
+            > Note: You need to be logged in to GitHub to access the artifacts.
+            `
+
+            const { data: comments } = await github.rest.issues.listComments({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: pr.number,
+            })
+
+            const botComment = comments.find(c =>
+              c.user?.type === 'Bot' &&
+              c.body?.includes('Build artifacts are ready for testing!')
+            )
+
+            if (botComment) {
+              await github.rest.issues.updateComment({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                comment_id: botComment.id,
+                body: comment,
+              })
+            } else {
+              await github.rest.issues.createComment({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                issue_number: pr.number,
+                body: comment,
+              })
+            }
diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml
@@ -10,86 +10,4 @@ jobs:
     uses: ./.github/workflows/reusable-build.yml
     with:
       bump-command: "local-bump"
-      branch-name: ${{ github.head_ref }}
-
-  comment:
-    needs: build-preview
-    runs-on: ubuntu-24.04
-    steps:
-      - name: Comment PR
-        uses: actions/github-script@v6
-        with:
-          script: |
-            const version = '${{ needs.build-preview.outputs.package-version }}'
-            const artifactsUrl = `${context.serverUrl}/${context.repo.owner}/${context.repo.repo}/actions/runs/${context.runId}/`
-
-            const comment = `
-            ## 🚀 Build artifacts are ready for testing!
-
-            Download the wheel file and binaries with gh CLI or from the [workflow artifacts](${artifactsUrl}).
-
-            ### 📦 Install & Run
-
-            #### Pre-requisites
-            \`\`\`bash
-            
-            # Install uv if needed
-            curl -LsSf https://astral.sh/uv/install.sh | sh
-            
-            # Create and enter artifacts directory
-            mkdir artifacts && cd artifacts
-            \`\`\`
-
-            #### Quick Test with Python Package
-            \`\`\`bash
-            # Download and run with uv
-            gh run download ${context.runId} -n dist -R pyupio/safety
-            uv run --with safety-${version}-py3-none-any.whl safety --version
-            \`\`\`
-
-            #### Binary Installation
-            \`\`\`bash
-            # Linux
-            gh run download ${context.runId} -n safety-linux -D linux -R pyupio/safety
-            cd linux && mv safety safety-pr && chmod +x safety-pr
-
-            # macOS
-            gh run download ${context.runId} -n safety-macos -D macos -R pyupio/safety
-            cd macos && mv safety safety-pr && chmod +x safety-pr
-            
-            # Windows
-            gh run download ${context.runId} -n safety-windows -D windows -R pyupio/safety
-            cd windows && mv safety.exe safety-pr.exe
-            
-            ./safety-pr --version
-            \`\`\`
-
-            > Note: You need to be logged in to GitHub to access the artifacts.
-            `
-            
-            const { data: comments } = await github.rest.issues.listComments({
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              issue_number: context.issue.number,
-            })
-            
-            const botComment = comments.find(comment => 
-              comment.user.type === 'Bot' && 
-              comment.body.includes('Build artifacts are ready for testing!')
-            )
-            
-            if (botComment) {
-              await github.rest.issues.updateComment({
-                owner: context.repo.owner,
-                repo: context.repo.repo,
-                comment_id: botComment.id,
-                body: comment
-              })
-            } else {
-              await github.rest.issues.createComment({
-                owner: context.repo.owner,
-                repo: context.repo.repo,
-                issue_number: context.issue.number,
-                body: comment
-              })
-            }
+      branch-name: ${{ github.head_ref }}
