ci: refactor PR commenting to use dedicated workflow

vprashar2929 · vprashar2929 · commit d0d72a9fb11e · 2025-08-25T16:44:54.000+05:30
Split PR comment functionality into a separate reusable workflow to eliminate security risks associated with using `pull_request_target` event. The new approach works as follows: - Source workflows upload comment message as artifacts - A dedicated `pr-comment` workflow downloads the artifact - Comments are posted using the safer `workflow_run` event trigger This provides a better security isolation by ensuring PR comment workflows run in the context of the base branch rather than the potentially untrusted PR branch. Benefits: - Eliminates `pull_request_target` event security risks - Centralizes PR commenting logic for consistency Addresses #2287 Signed-off-by: vprashar2929 <vibhu.sharma2929@gmail.com>
diff --git a/.github/workflows/config-change.yaml b/.github/workflows/config-change.yaml
@@ -1,12 +1,7 @@
 name: Check Config Changes
 
 on: #yamllint disable-line rule:truthy
-  pull_request_target:
-  # Using `pull_request_target` event type to allow the workflow to comment on the PR.
-  # Refer: https://github.com/thollander/actions-comment-pull-request?tab=readme-ov-file#permissions
-permissions:
-  pull-requests: write
-  contents: write
+  pull_request:
 
 jobs:
   check-changes:
@@ -40,7 +35,7 @@ jobs:
             helm:
               - 'manifests/helm/kepler/values.yaml'
 
-  comment-on-pr:
+  generate-comment-message:
     needs: check-changes
     if: >-
         needs.check-changes.outputs.changes == 'true' &&
@@ -54,10 +49,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Generate comment message
-        id: generate_message
         run: |
           {
-            echo "message<<EOF"
             echo "⚠️ Config changes detected in this PR"
             echo "Please make sure that the config changes are updated in the following places as part of this PR:"
             if [[ "${{ needs.check-changes.outputs.doc_changes }}" != "true" ]]; then
@@ -76,8 +69,13 @@ jobs:
               echo "- manifests/helm/kepler/values.yaml"
             fi
             echo "EOF"
-          } >> $GITHUB_OUTPUT
-      - name: Comment on PR
-        uses: thollander/actions-comment-pull-request@v3
+          } > /tmp/message.txt
+
+      # NOTE: Uploading the message as an artifact so that PR Comment workflow can use it to
+      # add comment on PR with the message.
+      - name: Upload message
+        uses: actions/upload-artifact@v4
         with:
-          message: ${{ steps.generate_message.outputs.message }}
+          name: message
+          path: /tmp/message.txt
+          retention-days: 1 # Keep artifact for 1 days
diff --git a/.github/workflows/pr-comment.yaml b/.github/workflows/pr-comment.yaml
@@ -0,0 +1,42 @@
+# Automatically posts comments on pull requests with messages generated by other workflows
+# Triggered when specified workflows complete successfully
+name: PR Comment
+
+on:
+  workflow_run:
+    # NOTE: Add any workflow that needs to comment on PRs to this list
+    workflows:
+      - Check Config Changes
+      - Profiling Report
+    types:
+      - completed
+
+permissions:
+  pull-requests: write
+  actions: read
+
+jobs:
+  comment-on-pr:
+    runs-on: ubuntu-latest
+    # Only run if the triggering workflow succeeded
+    if: github.event.workflow_run.conclusion == 'success'
+    steps:
+      # Download the message artifact created by the triggering workflow
+      - name: Download comment message
+        id: download-artifact
+        continue-on-error: true
+        uses: actions/download-artifact@v4
+        with:
+          name: message
+          path: /tmp/
+          run-id: ${{ github.event.workflow_run.id }}
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Comment on PR
+        if: steps.download-artifact.outcome == 'success'
+        uses: thollander/actions-comment-pull-request@v3
+        with:
+          file-path: /tmp/message.txt
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          pr-number: ${{ github.event.workflow_run.pull_requests[0].number }}
+          reactions: eyes, rocket
diff --git a/.github/workflows/profiling.yaml b/.github/workflows/profiling.yaml
@@ -1,10 +1,6 @@
 name: Profiling Report
 on:
-  pull_request_target:
-
-permissions:
-  contents: write
-  pull-requests: write
+  pull_request:
 
 jobs:
   profiling:
@@ -109,7 +105,7 @@ jobs:
           path: ./tmp/*
           retention-days: 5 # Keep artifact for 5 days
 
-  comment_on_pr:
+  generate-comment-message:
     runs-on: ubuntu-latest
     needs: [profiling]
     steps:
@@ -132,11 +128,9 @@ jobs:
           path: ./tmp
 
       - name: Generate comment messages
-        id: generate_message
         run: |
           {
-            echo "message<<EOF"
-            ./hack/reports/profiling.sh output
+            ./hack/reports/profiling.sh output | awk 'NR >4'
             echo ""
             echo "⬇️ Download the Profiling artifacts from the [Actions Summary page](https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }})"
             echo ""
@@ -147,11 +141,12 @@ jobs:
             echo "gh run download ${{ github.run_id }} -n profile-artifacts-${{ github.event.pull_request.number }}"
             echo "\`\`\`"
             echo ""
-            echo "EOF"
-          } >> $GITHUB_OUTPUT
-
-      - name: Create PR Comment with report links
-        uses: thollander/actions-comment-pull-request@v3
+          } > /tmp/message.txt
+      # NOTE: Uploading the message as an artifact so that PR Comment workflow can use it to
+      # add comment on PR with the message.
+      - name: Upload message
+        uses: actions/upload-artifact@v4
         with:
-          message: ${{ steps.generate_message.outputs.message }}
-          reactions: eyes, rocket
+          name: message
+          path: /tmp/message.txt
+          retention-days: 1 # Keep artifact for 1 days
