feat(ci): Add workflow_run workflow for posting CI failure comments on PRs#17022
Closed
kgpai wants to merge 1 commit intofacebookincubator:mainfrom
Closed
feat(ci): Add workflow_run workflow for posting CI failure comments on PRs#17022kgpai wants to merge 1 commit intofacebookincubator:mainfrom
kgpai wants to merge 1 commit intofacebookincubator:mainfrom
Conversation
…n PRs Add ci-failure-comment.yml, a workflow_run-triggered workflow that posts PR comments when CI builds or tests fail. This is needed because the pull_request event gives fork PRs a read-only GITHUB_TOKEN, preventing direct commenting from status jobs. The workflow: - Triggers when "Linux Build using GCC" completes with failures - Downloads ci-failure-* artifacts uploaded by status jobs - Posts a combined comment on the PR listing failures and log links Also reverts pull-requests:write from linux-build.yml (facebookincubator#17021) since the workflow_run pattern provides its own permissions. Security: This workflow never checks out or executes PR code. It only reads markdown artifacts generated by our own status jobs and posts them via the GitHub REST API through actions/github-script. Companion to facebookincubator#17015 which adds the artifact uploads in status jobs.
✅ Deploy Preview for meta-velox canceled.
|
meta-cla
bot
added
the
CLA Signed
Build Impact AnalysisNo build targets affected by this change. Fast path • Graph from main@d14cd0c27e72ddc11be0d3a09b81aa3832b370f7 |
srsuryadev
approved these changes
Apr 3, 2026
pratikpugalia
approved these changes
Apr 3, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
ci-failure-comment.yml— aworkflow_run-triggered workflow that posts PR comments when CI builds or tests failpull-requests: writefromlinux-build.yml(added in build(ci): Grant pull-requests write permission to Linux build workflow #17021) since this workflow provides its own permissionsci-failure-comment.ymlto zizmor'sdangerous-triggersignore listWhy workflow_run?
The
pull_requestevent gives fork PRs a read-onlyGITHUB_TOKEN— this is a GitHub security restriction that cannot be overridden by the workflow'spermissionsblock. Since most Velox PRs come from forks, directgh pr commentcalls from status jobs always fail withResource not accessible by integration.The
workflow_runpattern solves this by running a separate workflow in the base repo context after the build completes, with its own write permissions. This is the same pattern used bybuild-impact-comment.ymlin this repo.How it works
linux-build-base.yml(from feat(ci): Add test failure reporting with PR comments and error annotations #17015) upload failure details asci-failure-*artifactsSecurity
fs.readFileSyncand passed through the GitHub REST API (no shell interpolation)dangerous-triggersignore list with justificationTest plan
Companion to #17015 which adds the artifact uploads in status jobs.