testing security-guardian.yml

moelasmar · web-flow · commit 62b80d8419f8 · 2025-04-11T18:22:06.000-07:00
diff --git a/.github/workflows/security-guardian.yml b/.github/workflows/security-guardian.yml
@@ -2,9 +2,62 @@ name: Security Guardian
 on:
   pull_request: {}
 
+  # Triggered from a separate job when a review is added
+  workflow_run:
+    workflows: [PR Linter Trigger]
+    types:
+      - completed
+
+  # Trigger when a status is updated (CodeBuild leads to statuses)
+  status: {}
+
+  # Trigger when a check suite is completed (GitHub actions and CodeCov create checks)
+  check_suite:
+    types: [completed]
+
 jobs:
+  download-if-workflow-run:
+    runs-on: ubuntu-latest
+    outputs:
+      pr_number: ${{ steps.pr_output.outputs.pr_number }}
+      pr_sha: ${{ steps.pr_output.outputs.pr_sha }}
+    # if conditions on all individual steps because subsequent jobs depend on this job
+    # and we cannot skip it entirely
+    steps:
+      - name: 'Download workflow_run artifact'
+        if: github.event_name == 'workflow_run'
+        uses: dawidd6/action-download-artifact@v9
+        with:
+          run_id: ${{ github.event.workflow_run.id }}
+          name: pr_info
+          path: pr/
+          search_artifacts: true
+
+      - name: 'Determine PR info'
+        # PR info comes from the artifact if downloaded, or GitHub context if not.
+        if: github.event_name == 'workflow_run'
+        id: 'pr_output'
+        run: |
+          if [[ ! -f pr/pr_number ]]; then
+            echo "${{ github.event.pull_request.number }}" > pr/pr_number
+          fi
+          if [[ ! -f pr/pr_sha ]]; then
+            echo "${{ github.event.pull_request.head.sha }}" > pr/pr_sha
+          fi
+          cat pr/*
+          echo "pr_number=$(cat pr/pr_number)" >> "$GITHUB_OUTPUT"
+          echo "pr_sha=$(cat pr/pr_sha)" >> "$GITHUB_OUTPUT"
+
   run-security-guardian:
+    # Necessary to have sufficient permissions to write to the PR
+    permissions:
+      contents: read
+      pull-requests: write
+      statuses: read
+      issues: read
+      checks: read
     runs-on: ubuntu-latest
+    needs: download-if-workflow-run
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -14,7 +67,7 @@ jobs:
         run: |
           echo "Getting changed CloudFormation templates..."
           mkdir -p changed_templates
-          
+
           git fetch origin main --depth=1
 
           base_sha="${{ github.event.pull_request.base.sha }}"
