Use pull_request + workflow_run instead of pull_request_target

aibaars · aibaars · commit a0903c377d2a · 2021-10-29T18:18:06.000+02:00
diff --git a/.github/workflows/post-pr-comment.yml b/.github/workflows/post-pr-comment.yml
@@ -0,0 +1,31 @@
+name: Post pull-request comment
+on:
+  workflow_run:
+    workflows: ["Query help preview"]
+    types:
+      - completed
+
+permissions:
+  pull-requests: write
+
+jobs:
+  post_comment:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Download artifact
+        uses: dawidd6/action-download-artifact@af92a8455a59214b7b932932f2662fdefbd78126
+        with:
+          workflow: ${{ github.event.workflow_run.workflow_id }}
+          workflow_conclusion: success
+          name: comment
+      - run: |
+          PR=$(grep -o '^[0-9]\+$' pr.txt)
+          PR_HEAD_SHA=$(gh api "/repos/${{ github.repository }}/pulls/${PR}" --jq .head.sha)
+          # Check that the pull-request head SHA matches the head SHA of the workflow run
+          if [ "${WORKFLOW_RUN_HEAD_SHA}" != "${PR_HEAD_SHA}" ]; then
+            exit 1
+          fi
+          cat comment.txt | gh pr comment "${PR}" --repo "${{ github.repository }}" -F -
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
+          WORKFLOW_RUN_HEAD_SHA: ${{ github.event.workflow_run.head_commit.id }}
diff --git a/.github/workflows/qhelp-pr-preview.yml b/.github/workflows/qhelp-pr-preview.yml
@@ -4,7 +4,7 @@ permissions:
   contents: read
 
 on:
-  pull_request_target:
+  pull_request:
     branches:
       - main
       - "rc/*"
@@ -17,10 +17,16 @@ jobs:
       contents: read
     runs-on: ubuntu-latest
     steps:
+      - run: echo "${{  github.event.number }}" > pr.txt
+      - uses: actions/upload-artifact@v2
+        with:
+          name: comment
+          path: pr.txt
+          retention-days: 1
+
       - uses: github/codeql/.github/actions/fetch-codeql@main
       - uses: actions/checkout@v2
         with:
-          ref: refs/pull/${{ github.event.number }}/merge
           fetch-depth: 2
           persist-credentials: false
 
@@ -33,6 +39,7 @@ jobs:
 
       - name: QHelp preview
         run: |
+          echo "QHelp previews:" > comment.txt
           cat "${{ runner.temp }}/paths.txt" | while read path; do
             if [ ! -f "${path}" ]; then
                exit 1
@@ -41,23 +48,10 @@ jobs:
             echo
             codeql generate query-help --format=markdown -- "./${path}"
             echo "</details>"
-          done > comment.txt
+          done >> comment.txt
 
       - uses: actions/upload-artifact@v2
         with:
-          name: comment.txt
+          name: comment
           path: comment.txt
-
-  post_comment:
-    permissions:
-      pull-requests: write
-    runs-on: ubuntu-latest
-    needs: qhelp
-    steps:
-      - uses: actions/download-artifact@v2
-        with:
-          name: comment.txt
-      - run: |
-          (echo "QHelp previews:"; cat comment.txt) | gh pr comment "${{ github.event.pull_request.number }}" --repo "${{ github.repository }}" -F -
-        env:
-          GITHUB_TOKEN: ${{ github.token }}
+          retention-days: 1
