mirror of
https://github.com/github/awesome-copilot.git
synced 2026-06-15 12:25:02 +00:00
Aaron Powell
d7fde9db1f
Introduce a PR risk scanner script plus two workflows: one to scan changed files and upload findings, and one to upsert a sticky PR comment with a summary table and findings. This adds non-blocking supply-chain risk visibility for agentic contributions. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
87 lines
2.7 KiB
YAML
87 lines
2.7 KiB
YAML
name: PR Risk Scan — Comment
|
|
|
|
on:
|
|
workflow_run:
|
|
workflows: ["PR Risk Scan — Gate"]
|
|
types: [completed]
|
|
|
|
permissions:
|
|
issues: write
|
|
pull-requests: write
|
|
actions: read
|
|
|
|
jobs:
|
|
comment:
|
|
runs-on: ubuntu-latest
|
|
if: github.event.workflow_run.event == 'pull_request'
|
|
steps:
|
|
- name: Download scan artifact
|
|
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
|
|
with:
|
|
name: pr-risk-scan-results
|
|
run-id: ${{ github.event.workflow_run.id }}
|
|
github-token: ${{ github.token }}
|
|
|
|
- name: Upsert PR comment
|
|
uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7.1.0
|
|
with:
|
|
script: |
|
|
const fs = require('fs');
|
|
const marker = '<!-- pr-risk-scan-results -->';
|
|
const reportPath = 'report.md';
|
|
const prNumberPath = 'pr-number.txt';
|
|
|
|
if (!fs.existsSync(reportPath)) {
|
|
core.setFailed('Risk scan report.md artifact was not found.');
|
|
return;
|
|
}
|
|
|
|
const body = fs.readFileSync(reportPath, 'utf8');
|
|
let prNumber = null;
|
|
|
|
if (fs.existsSync(prNumberPath)) {
|
|
const parsed = parseInt(fs.readFileSync(prNumberPath, 'utf8').trim(), 10);
|
|
if (!Number.isNaN(parsed)) {
|
|
prNumber = parsed;
|
|
}
|
|
}
|
|
|
|
if (!prNumber) {
|
|
const fallback = context.payload.workflow_run.pull_requests?.[0]?.number;
|
|
if (fallback) {
|
|
prNumber = fallback;
|
|
}
|
|
}
|
|
|
|
if (!prNumber) {
|
|
core.setFailed('Could not determine PR number for comment upsert.');
|
|
return;
|
|
}
|
|
|
|
const { data: comments } = await github.rest.issues.listComments({
|
|
owner: context.repo.owner,
|
|
repo: context.repo.repo,
|
|
issue_number: prNumber,
|
|
per_page: 100,
|
|
});
|
|
|
|
const existing = comments.find((comment) => comment.body.includes(marker));
|
|
|
|
if (existing) {
|
|
await github.rest.issues.updateComment({
|
|
owner: context.repo.owner,
|
|
repo: context.repo.repo,
|
|
comment_id: existing.id,
|
|
body,
|
|
});
|
|
console.log(`Updated existing risk scan comment ${existing.id}`);
|
|
} else {
|
|
await github.rest.issues.createComment({
|
|
owner: context.repo.owner,
|
|
repo: context.repo.repo,
|
|
issue_number: prNumber,
|
|
body,
|
|
});
|
|
console.log('Created new risk scan comment');
|
|
}
|