Merge pull request #33 from apuchmarcos/fixCI/coverageComment

apuchmarcos · web-flow · commit 9d93801c44c7 · 2026-03-02T11:04:27.000+01:00
fix(ci): use workflow_run for fork-safe PR coverage comments
diff --git a/.github/workflows/ci-cd.yml b/.github/workflows/ci-cd.yml
@@ -45,10 +45,6 @@ jobs:
   build-and-test:
     name: Build and Test with Coverage
     runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      pull-requests: write  # Required for posting comments on PRs
-    
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
@@ -92,35 +88,22 @@ jobs:
           TOTAL=$(go tool cover -func=coverage.out | grep total | awk '{print $3}')
           echo "total=$TOTAL" >> $GITHUB_OUTPUT
 
-      # Publish coverage report as PR comment
-      - name: Publish coverage comment on PR
+      # Save coverage data and PR number for the coverage-comment workflow
+      - name: Save coverage data for PR comment
         if: github.event_name == 'pull_request'
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          COVERAGE: ${{ steps.coverage.outputs.total }}
         run: |
-          # Create comment body using heredoc
-          cat << 'EOF' > comment.md
-          ## 📊 Coverage Report
-
-          **Total Coverage:** `${{ steps.coverage.outputs.total }}`
-
-          <details>
-          <summary>📋 Coverage Details</summary>
+          mkdir -p coverage-report
+          cp coverage-summary.txt coverage-report/
+          echo "${{ steps.coverage.outputs.total }}" > coverage-report/coverage-total.txt
+          echo "${{ github.event.pull_request.number }}" > coverage-report/pr-number.txt
 
-          ```
-          EOF
-          cat coverage-summary.txt >> comment.md
-          cat << 'EOF' >> comment.md
-          ```
-
-          </details>
-
-          ---
-          *Generated by CI workflow*
-          EOF
-          
-          gh pr comment ${{ github.event.pull_request.number }} --body-file comment.md
+      - name: Upload coverage report artifact
+        if: github.event_name == 'pull_request'
+        uses: actions/upload-artifact@v4
+        with:
+          name: coverage-report
+          path: coverage-report/
+          retention-days: 1
 
       # Upload binaries as artifacts (for all runs)
       - name: Upload binaries as artifacts
diff --git a/.github/workflows/coverage-comment.yml b/.github/workflows/coverage-comment.yml
@@ -0,0 +1,90 @@
+# ============================================================================
+# Coverage Comment Workflow
+# ============================================================================
+# Posts coverage reports as PR comments using the workflow_run event.
+# This approach is fork-safe: the GITHUB_TOKEN has write access because
+# this workflow always runs from the default branch's code, not the fork's.
+#
+# Security:
+#   - All artifact data (PR number, coverage values) is validated with
+#     strict regex before use to prevent injection attacks.
+#   - This workflow's code cannot be modified by fork PRs.
+# ============================================================================
+
+name: Coverage Comment
+
+on:
+  workflow_run:
+    workflows: ["CI/CD"]
+    types:
+      - completed
+
+permissions:
+  pull-requests: write
+
+jobs:
+  comment:
+    name: Post Coverage Comment
+    runs-on: ubuntu-latest
+    # Only run when the triggering workflow was a successful PR build
+    if: >
+      github.event.workflow_run.event == 'pull_request' &&
+      github.event.workflow_run.conclusion == 'success'
+
+    steps:
+      - name: Download coverage artifact
+        uses: actions/download-artifact@v4
+        with:
+          name: coverage-report
+          path: coverage-report
+          run-id: ${{ github.event.workflow_run.id }}
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+
+      # Validate and extract PR number (must be numeric only)
+      - name: Validate and read PR number
+        id: pr
+        run: |
+          PR_NUMBER=$(cat coverage-report/pr-number.txt | tr -d '[:space:]')
+          if ! echo "$PR_NUMBER" | grep -qE '^[0-9]+$'; then
+            echo "::error::Invalid PR number: '$PR_NUMBER'"
+            exit 1
+          fi
+          echo "number=$PR_NUMBER" >> $GITHUB_OUTPUT
+
+      # Validate and extract coverage total (must match percentage pattern)
+      - name: Validate and read coverage total
+        id: coverage
+        run: |
+          TOTAL=$(cat coverage-report/coverage-total.txt | tr -d '[:space:]')
+          if ! echo "$TOTAL" | grep -qE '^[0-9]+(\.[0-9]+)?%$'; then
+            echo "::error::Invalid coverage value: '$TOTAL'"
+            exit 1
+          fi
+          echo "total=$TOTAL" >> $GITHUB_OUTPUT
+
+      # Build and post the PR comment
+      - name: Post coverage comment
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          {
+            echo "## 📊 Coverage Report"
+            echo ""
+            echo "**Total Coverage:** \`${{ steps.coverage.outputs.total }}\`"
+            echo ""
+            echo "<details>"
+            echo "<summary>📋 Coverage Details</summary>"
+            echo ""
+            echo '```'
+            cat coverage-report/coverage-summary.txt
+            echo '```'
+            echo ""
+            echo "</details>"
+            echo ""
+            echo "---"
+            echo "*Generated by CI workflow*"
+          } > comment.md
+
+          gh pr comment ${{ steps.pr.outputs.number }} \
+            --repo "${{ github.repository }}" \
+            --body-file comment.md
