Open
Description
GitHub pinged us that the action that checks for alembic revisions could have leaked the GH token; I already applied this workaround but a cleaner solution would be to split it in two workflow runs: One that runs on pull_request and stores the comment information as an artifact, and then another one that runs on workflow_run to create the comment.
In the email exchange the pointed to https://github.com/nonebot/nonebot2/pull/80/files as an example on how this could be done. Looks pretty straightforward. :)
Original report: GHSL-2020-316-indico-newdle-workflow.pdf