Comment Results #8
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Comment Results | |
| # SECURITY: workflow_run trigger = elevated permissions, no fork code access | |
| on: | |
| workflow_run: | |
| workflows: ["Aztec Benchmark"] | |
| types: | |
| - completed | |
| permissions: | |
| contents: read | |
| pull-requests: write # Elevated permissions for commenting | |
| jobs: | |
| comment: | |
| name: Comment results | |
| runs-on: ubuntu-latest | |
| if: github.event.workflow_run.event == 'pull_request' && github.event.workflow_run.conclusion == 'success' | |
| steps: | |
| # SECURITY: Never checkout PR code in this workflow | |
| # This job has elevated permissions but only handles trusted artifacts | |
| - name: Download benchmark results | |
| id: download-results | |
| uses: actions/github-script@v8 | |
| with: | |
| script: | | |
| // Download benchmark results artifact | |
| const artifacts = await github.rest.actions.listWorkflowRunArtifacts({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| run_id: ${{ github.event.workflow_run.id }}, | |
| }); | |
| const benchmarkArtifact = artifacts.data.artifacts.find(artifact => | |
| artifact.name === 'benchmark-results' | |
| ); | |
| if (benchmarkArtifact) { | |
| const download = await github.rest.actions.downloadArtifact({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| artifact_id: benchmarkArtifact.id, | |
| archive_format: 'zip', | |
| }); | |
| const fs = require('fs'); | |
| fs.writeFileSync('benchmark-results.zip', Buffer.from(download.data)); | |
| console.log('Downloaded benchmark results artifact'); | |
| } else { | |
| console.log('No benchmark results found - likely skipped due to no relevant changes'); | |
| core.setOutput('has-results', 'false'); | |
| return; | |
| } | |
| core.setOutput('has-results', 'true'); | |
| - name: Extract benchmark results | |
| if: steps.download-results.outputs.has-results == 'true' | |
| id: extract-results | |
| run: | | |
| unzip -q benchmark-results.zip | |
| if [[ -f benchmark-comparison.md ]]; then | |
| echo "results-available=true" >> $GITHUB_OUTPUT | |
| echo "Found benchmark comparison results" | |
| else | |
| echo "results-available=false" >> $GITHUB_OUTPUT | |
| echo "No benchmark comparison file found" | |
| fi | |
| - name: Download PR metadata | |
| uses: actions/github-script@v8 | |
| with: | |
| script: | | |
| // Download PR metadata artifact | |
| const artifacts = await github.rest.actions.listWorkflowRunArtifacts({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| run_id: ${{ github.event.workflow_run.id }}, | |
| }); | |
| const metadataArtifact = artifacts.data.artifacts.find(artifact => | |
| artifact.name === 'pr-metadata' | |
| ); | |
| if (metadataArtifact) { | |
| const download = await github.rest.actions.downloadArtifact({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| artifact_id: metadataArtifact.id, | |
| archive_format: 'zip', | |
| }); | |
| const fs = require('fs'); | |
| fs.writeFileSync('pr-metadata.zip', Buffer.from(download.data)); | |
| console.log('Downloaded PR metadata artifact'); | |
| } else { | |
| throw new Error('PR metadata artifact not found'); | |
| } | |
| - name: Extract PR number | |
| id: extract-pr | |
| run: | | |
| unzip -q pr-metadata.zip | |
| PR_NUMBER=$(cat pr-number.txt) | |
| echo "pr-number=$PR_NUMBER" >> $GITHUB_OUTPUT | |
| echo "Found PR number: $PR_NUMBER" | |
| - name: Comment results | |
| if: steps.extract-results.outputs.results-available == 'true' | |
| uses: peter-evans/create-or-update-comment@v5 | |
| with: | |
| issue-number: ${{ steps.extract-pr.outputs.pr-number }} | |
| body-file: benchmark-comparison.md |