name: PR Risk Scan — Comment on: workflow_run: workflows: ["PR Risk Scan — Gate"] types: [completed] permissions: issues: write pull-requests: write actions: read jobs: comment: runs-on: ubuntu-latest if: github.event.workflow_run.event == 'pull_request' steps: - name: Download scan artifact uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: pr-risk-scan-results run-id: ${{ github.event.workflow_run.id }} github-token: ${{ github.token }} - name: Upsert PR comment uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7.1.0 with: script: | const fs = require('fs'); const marker = ''; const reportPath = 'report.md'; const prNumberPath = 'pr-number.txt'; if (!fs.existsSync(reportPath)) { core.setFailed('Risk scan report.md artifact was not found.'); return; } const body = fs.readFileSync(reportPath, 'utf8'); let prNumber = null; if (fs.existsSync(prNumberPath)) { const parsed = parseInt(fs.readFileSync(prNumberPath, 'utf8').trim(), 10); if (!Number.isNaN(parsed)) { prNumber = parsed; } } if (!prNumber) { const fallback = context.payload.workflow_run.pull_requests?.[0]?.number; if (fallback) { prNumber = fallback; } } if (!prNumber) { core.setFailed('Could not determine PR number for comment upsert.'); return; } const { data: comments } = await github.rest.issues.listComments({ owner: context.repo.owner, repo: context.repo.repo, issue_number: prNumber, per_page: 100, }); const existing = comments.find((comment) => comment.body.includes(marker)); if (existing) { await github.rest.issues.updateComment({ owner: context.repo.owner, repo: context.repo.repo, comment_id: existing.id, body, }); console.log(`Updated existing risk scan comment ${existing.id}`); } else { await github.rest.issues.createComment({ owner: context.repo.owner, repo: context.repo.repo, issue_number: prNumber, body, }); console.log('Created new risk scan comment'); }