samples/.github/workflows/ash-pr-comment.yml at main · surengunturuamazon/samples · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
name: ASH Security Scan - Post Comments

on:
  workflow_run:
    workflows: ["ASH PR Scan"]
    types:
      - completed

permissions:
  pull-requests: write
  actions: read

jobs:
  comment:
    runs-on: ubuntu-latest
    if: github.event.workflow_run.event == 'pull_request'
    steps:
      - name: Download artifacts
        uses: actions/download-artifact@v4
        with:
          name: ash-security-results
          path: /tmp/ash-results
          run-id: ${{ github.event.workflow_run.id }}
          github-token: ${{ secrets.GITHUB_TOKEN }}

      - name: Get PR information
        id: pr-info
        run: |
          if [ -f /tmp/ash-results/pr_number.txt ]; then
            PR_NUMBER=$(cat /tmp/ash-results/pr_number.txt)
            echo "pr_number=${PR_NUMBER}" >> $GITHUB_OUTPUT
            echo "Found PR number: ${PR_NUMBER}"
          else
            echo "No PR number found in artifacts"
            exit 1
          fi

          if [ -f /tmp/ash-results/pr_sha.txt ]; then
            PR_SHA=$(cat /tmp/ash-results/pr_sha.txt)
            echo "pr_sha=${PR_SHA}" >> $GITHUB_OUTPUT
            echo "Found PR SHA: ${PR_SHA}"
          fi

      - name: Post comment on PR
        if: steps.pr-info.outputs.pr_number
        uses: actions/github-script@v7
        env:
          PR_NUMBER: ${{ steps.pr-info.outputs.pr_number }}
          PR_SHA: ${{ steps.pr-info.outputs.pr_sha }}
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}
          script: |
            const fs = require('fs');
            const commentPath = '/tmp/ash-results/pr_comment.md';

            if (!fs.existsSync(commentPath)) {
              console.log('No comment file found in artifacts');
              return;
            }

            const commentBody = fs.readFileSync(commentPath, 'utf8');
            const prNumber = parseInt(process.env.PR_NUMBER);
            const prSha = process.env.PR_SHA;

            if (!prNumber) {
              console.log('Invalid PR number');
              return;
            }

            // Get existing comments
            const { data: comments } = await github.rest.issues.listComments({
              owner: context.repo.owner,
              repo: context.repo.repo,
              issue_number: prNumber,
            });

            // Find ALL ASH security scan comments
            const ashComments = comments.filter(comment =>
              comment.user.type === 'Bot' &&
              (comment.body.includes('<!-- ASH-SECURITY-SCAN-COMMENT -->') ||
               comment.body.includes('## ✅ Security Scan Report') ||
               comment.body.includes('## ❌ Security Scan Report') ||
               comment.body.includes('## ⚠️ Security Scan Report') ||
               comment.body.includes('Latest scan for commit:') ||
               comment.body.includes('ASH Security Scan Report'))
            );

            console.log(`Found ${ashComments.length} ASH security scan comments`);

            // Use the most recent ASH comment (highest ID = most recent)
            const existingComment = ashComments.length > 0 ?
              ashComments.sort((a, b) => b.id - a.id)[0] : null;

            // Delete any duplicate/older ASH comments (keep only the most recent one)
            if (ashComments.length > 1) {
              console.log(`Cleaning up ${ashComments.length - 1} duplicate ASH comments`);
              for (const comment of ashComments.slice(1)) {
                try {
                  await github.rest.issues.deleteComment({
                    owner: context.repo.owner,
                    repo: context.repo.repo,
                    comment_id: comment.id,
                  });
                  console.log(`Deleted duplicate comment ${comment.id}`);
                } catch (error) {
                  console.log(`Failed to delete comment ${comment.id}: ${error.message}`);
                }
              }
            }

            // Add commit and timestamp info to the body
            const timestamp = new Date().toISOString().replace('T', ' ').substring(0, 19) + ' UTC';
            const shortSha = prSha ? prSha.substring(0, 7) : 'unknown';
            const enhancedBody = `**Latest scan for commit:** \`${shortSha}\` **| Updated:** ${timestamp}\n\n${commentBody}\n\n<!-- ASH-SECURITY-SCAN-COMMENT -->`;

            if (existingComment) {
              // Update existing comment
              console.log(`Updating existing comment ${existingComment.id}`);
              await github.rest.issues.updateComment({
                owner: context.repo.owner,
                repo: context.repo.repo,
                comment_id: existingComment.id,
                body: enhancedBody
              });
              console.log('Successfully updated existing ASH security scan comment');
            } else {
              // Create new comment
              console.log('No existing ASH comment found, creating new one');
              await github.rest.issues.createComment({
                owner: context.repo.owner,
                repo: context.repo.repo,
                issue_number: prNumber,
                body: enhancedBody
              });
              console.log('Successfully created new ASH security scan comment');
            }