Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Combining trigger pull_request and workflow_run

See original GitHub issue

Hi, as per GitHub recommendations, it’s dangerous to use pull_request_target, they recommend using pull_request with workflow_run.

I have tried to do this with this GitHub Action here and here are the logs:

/usr/bin/docker run --name e400d0fdeb040d443bb87865509f8e811d_620554 --label 5588e4 --workdir /github/workspace --rm -e INPUT_CHECK_NAME -e INPUT_GITHUB_TOKEN -e INPUT_FILES -e INPUT_REPORT_INDIVIDUAL_RUNS -e INPUT_CHECK_RUN_ANNOTATIONS -e INPUT_COMMIT -e INPUT_COMMENT_TITLE -e INPUT_DEDUPLICATE_CLASSES_BY_FILE_NAME -e INPUT_HIDE_COMMENTS -e INPUT_COMMENT_ON_PR -e INPUT_TEST_CHANGES_LIMIT -e INPUT_CHECK_RUN_ANNOTATIONS_BRANCH -e INPUT_LOG_LEVEL -e HOME -e GITHUB_JOB -e GITHUB_REF -e GITHUB_SHA -e GITHUB_REPOSITORY -e GITHUB_REPOSITORY_OWNER -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RETENTION_DAYS -e GITHUB_ACTOR -e GITHUB_WORKFLOW -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GITHUB_EVENT_NAME -e GITHUB_SERVER_URL -e GITHUB_API_URL -e GITHUB_GRAPHQL_URL -e GITHUB_WORKSPACE -e GITHUB_ACTION -e GITHUB_EVENT_PATH -e GITHUB_ACTION_REPOSITORY -e GITHUB_ACTION_REF -e GITHUB_PATH -e GITHUB_ENV -e RUNNER_OS -e RUNNER_TOOL_CACHE -e RUNNER_TEMP -e RUNNER_WORKSPACE -e ACTIONS_RUNTIME_URL -e ACTIONS_RUNTIME_TOKEN -e ACTIONS_CACHE_URL -e GITHUB_ACTIONS=true -e CI=true -v "/var/run/docker.sock":"/var/run/docker.sock" -v "/home/runner/work/_temp/_github_home":"/github/home" -v "/home/runner/work/_temp/_github_workflow":"/github/workflow" -v "/home/runner/work/_temp/_runner_file_commands":"/github/file_commands" -v "/home/runner/work/nHapi/nHapi":"/github/workspace" 5588e4:00d0fdeb040d443bb87865509f8e811d
2021-02-10 20:52:10 +0000 - publish-unit-test-results -  INFO - reading **/*.xml
2021-02-10 20:52:10 +0000 - publish.publisher -  INFO - publishing success results for commit b1e94751b354cc4fbd75e4bb282eca419f6555d4
2021-02-10 20:52:10 +0000 - publish.publisher -  INFO - creating check
2021-02-10 20:52:11 +0000 - publish.publisher -  INFO - there is no pull request for commit b1e94751b354cc4fbd75e4bb282eca419f6555d4

what am I missing to ensure it will comment on the forked PR?

Issue Analytics

State:
Created 3 years ago
Comments:10 (5 by maintainers)

Top GitHub Comments

2reactions

EnricoMicommented, Feb 11, 2021

You need to somehow get the action to know the commit sha, maybe like this:

with:
  commit: ${{ github.event.workflow_run.head_sha }}

1reaction

EnricoMicommented, May 25, 2021

The code that downloads artifacts from the triggering workflow can be simplified from:

- name: Download Artifacts
  uses: actions/github-script@v3
  with:
    script: |
       var fs = require('fs');
       var path = require('path');
       var artifacts_path = path.join('${{github.workspace}}', 'artifacts')
       fs.mkdirSync(artifacts_path, { recursive: true })

       var artifacts = await github.actions.listWorkflowRunArtifacts({
          owner: context.repo.owner,
          repo: context.repo.repo,
          run_id: ${{ github.event.workflow_run.id }},
       });

       for (const artifact of artifacts.data.artifacts) {
          var download = await github.actions.downloadArtifact({
             owner: context.repo.owner,
             repo: context.repo.repo,
             artifact_id: artifact.id,
             archive_format: 'zip',
          });
          var artifact_path = path.join(artifacts_path, `${artifact.name}.zip`)
          fs.writeFileSync(artifact_path, Buffer.from(download.data));
          console.log(`Downloaded ${artifact_path}`);
       }
- name: Extract Artifacts
  run: |
    for file in artifacts/*.zip
    do
      if [ -f "$file" ]
      then
        dir="${file/%.zip/}"
        mkdir -p "$dir"
        unzip -d "$dir" "$file"
      fi
    done

to:

- name: Download and Extract Artifacts
  env:
    GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
  run: |
    mkdir artifacts && cd artifacts

    artifacts_url=${{ github.event.workflow_run.artifacts_url }}
    artifacts=$(gh api $artifacts_url -q '.artifacts[] | {name: .name, url: .archive_download_url}')

    IFS=$'\n'
    for artifact in $artifacts
    do
      name=$(jq -r .name <<<$artifact)
      url=$(jq -r .url <<<$artifact)
      gh api $url > "$name.zip"
      unzip -d "$name" "$name.zip"
    done

I think you use the first version. Whereas I now move to the below simplified version. Just in case you are interested. Both versions work equally well.