Skip to content

fix(ci): record and use the PR number to post the comment #286

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
upils wants to merge 5 commits into
base: main
Choose a base branch
from
+25 −8
Open

fix(ci): record and use the PR number to post the comment #286

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
65852dd
fix(ci): record and use the PR number to post the comment
upils Apr 8, 2026
79e398c
fix: avoid attacker controlling PR number
upils Apr 20, 2026
2658af1
fix: avoid shell injection
upils Apr 23, 2026
3d374f4
ci: filter PR search by author and sort
upils Apr 24, 2026
95a488d
ci: address review
upils Apr 28, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
27 changes: 23 additions & 4 deletions .github/workflows/comment-perf.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,13 +21,32 @@ jobs:
uses: actions/download-artifact@v4
with:
name: benchmark-report
path: benchmark-report.txt
path: benchmark-report.md
github-token: ${{ secrets.ROCKSBOT_CHISEL_PR_COMMENTER }}
run-id: ${{ github.event.workflow_run.id }}

- name: Get PR number
id: get-pr-number
env:
GH_TOKEN: ${{ secrets.ROCKSBOT_CHISEL_PR_COMMENTER }}
Comment thread
upils marked this conversation as resolved.
# The branch name is considered an untrusted input value (under the
# contributor's control), so store it in a variable to avoid shell
# injection.
# In the unlikely case where multiple PRs, on the same branch, from the
# same author exists, the most recent one is selected.
QUERY_PR: "head:${{ github.event.workflow_run.head_branch }} sort:updated-desc author:${{ github.event.workflow_run.head_repository.owner.login }} ${{ github.event.workflow_run.head_sha }}"
# Filters and formats the JSON into a `key=value` string with basic error handling.
JQ_FILTER: >-
.[0]
| if (.number == null) then error("Cannot find PR number") end
| "number=\(.number)"
run: |
gh pr list --repo "${{ github.repository }}" --state all --search "${QUERY_PR}" \
Comment thread
upils marked this conversation as resolved.
--json number --jq "${JQ_FILTER}" >> "${GITHUB_OUTPUT}"

- name: Post message to PR
uses: mshick/add-pr-comment@dd126dd8c253650d181ad9538d8b4fa218fc31e8
uses: mshick/add-pr-comment@dd126dd8c253650d181ad9538d8b4fa218fc31e8 # v2
with:
message-path: benchmark-report.txt
issue: ${{ github.event.workflow_run.pull_requests[0].number }}
Copy link
Copy Markdown

@polarathene polarathene Apr 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just for context of this removal for anyone interested, github.event.workflow_run.pull_requests is only present when the PR is not a branch from a fork of the repo IIRC, so it's an unreliable source.

Copy link
Copy Markdown
Contributor

@niemeyer niemeyer Apr 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm missing something the context for this PR... how come we have the PR at hand and not the number?

This whole workflow is conditioning on github.event.workflow_run.event == 'pull_request'.

I realize that this is all being done in the name of security, but the amout of fiddling with stuff that supposedly should be simple really makes it feel like we'll see more serious issues soon.

Copy link
Copy Markdown
Collaborator Author

@upils upils Apr 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm missing something the context for this PR... how come we have the PR at hand and not the number?

This workflow is triggered by the other one and is receiving a github.event.workflow_run payload. However github.event.workflow_run.pull_requests is empty when triggered from a fork. This issue was raised to GitHub multiple times, but AFAIK they never really answered nor addressed it. So we have to work around that and resort to a more convoluted method to get the PR number.

message-path: benchmark-report.md
issue: ${{ steps.get-pr-number.outputs.number }}
repo-token: ${{ secrets.ROCKSBOT_CHISEL_PR_COMMENTER }}
6 changes: 2 additions & 4 deletions .github/workflows/performance.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -65,14 +65,12 @@ jobs:
- name: Run benchmark
id: benchmark
run: |
msg_file="$(mktemp)"
echo "msg_file=$msg_file" >> $GITHUB_OUTPUT
chmod +x base head
hyperfine --export-markdown "$msg_file" "./base info --release ./chisel-releases 'python3.12_core'" -n "BASE" "./head info --release ./chisel-releases 'python3.12_core'" -n "HEAD"
hyperfine --export-markdown benchmark-report.md "./base info --release ./chisel-releases 'python3.12_core'" -n "BASE" "./head info --release ./chisel-releases 'python3.12_core'" -n "HEAD"

- name: Upload result
uses: actions/upload-artifact@v4
with:
name: benchmark-report
path: ${{ steps.benchmark.outputs.msg_file }}
path: benchmark-report.md
retention-days: 1
Loading