[ci] use GitHub built-in token, switch comment-triggered jobs to workflow dispatch (fixes #7012) (#7035)

Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Co-authored-by: Nikita Titov <[email protected]>

Author: 3 people

.ci/append-comment.sh

@@ -1,14 +1,14 @@
 #!/bin/bash
 #
 # [description]
-#     Update comment appending a given body to the specified original comment.
+#     Post a comment to a pull request.
 #
 # [usage]
-#     append-comment.sh <COMMENT_ID> <BODY>
+#     append-comment.sh <PULL_REQUEST_ID> <BODY>
 #
-# COMMENT_ID: ID of comment that should be modified.
+# PULL_REQUEST_ID: ID of PR to post the comment on.
 #
-# BODY: Text that will be appended to the original comment body.
+# BODY: Text of the comment to be posted.
 
 set -e -E -u -o pipefail
 
@@ -18,33 +18,27 @@ if [ -z "$GITHUB_ACTIONS" ]; then
 fi
 
 if [ $# -ne 2 ]; then
-  echo "Usage: $0 <COMMENT_ID> <BODY>"
+  echo "Usage: $0 <PULL_REQUEST_ID> <BODY>"
   exit 1
 fi
 
-comment_id=$1
+pr_id=$1
 body=$2
 
-old_comment_body=$(
-  curl -sL \
-    -H "Accept: application/vnd.github.v3+json" \
-    -H "Authorization: token $SECRETS_WORKFLOW" \
-    "${GITHUB_API_URL}/repos/microsoft/LightGBM/issues/comments/$comment_id" | \
-  jq '.body'
-)
 body=${body/failure/failure ❌}
 body=${body/error/failure ❌}
 body=${body/cancelled/failure ❌}
 body=${body/timed_out/failure ❌}
 body=${body/success/success ✔️}
 data=$(
   jq -n \
-    --argjson body "${old_comment_body%?}\r\n\r\n$body\"" \
-    '{"body":$body}'
+    --argjson body "\"$body\"" \
+    '{"body": $body}'
 )
 curl -sL \
-  -X PATCH \
+  --fail \
+  -X POST \
   -H "Accept: application/vnd.github.v3+json" \
-  -H "Authorization: token $SECRETS_WORKFLOW" \
+  -H "Authorization: token ${GITHUB_TOKEN}" \
   -d "$data" \
-  "${GITHUB_API_URL}/repos/microsoft/LightGBM/issues/comments/$comment_id"
+  "${GITHUB_API_URL}/repos/microsoft/LightGBM/issues/${pr_id}/comments"

.ci/check-workflow-status.sh

@@ -0,0 +1,46 @@
+#!/bin/bash
+
+# [description]
+#
+#   Look for the last run of a given GitHub Actions workflow on a given branch.
+#   If there's never been one (as might be the case with optional workflows like valgrind),
+#   exit with 0.
+#
+#   Otherwise, check the status of that latest run.
+#   If it wasn't successful, exit with a non-0 exit code.
+#
+# [usage]
+#
+#     check-workflow-status.sh <BRANCH> <WORKFLOW_FILE>
+#
+# BRANCH: name of a branch involved in a pull request.
+#
+# WORKFLOW_FILE: filename (e.g. 'r_valgrind.yml') defining the GitHub Actions workflow.
+#
+
+set -e -u -o pipefail
+
+BRANCH="${1}"
+WORKFLOW_FILE="${2}"
+
+echo "Searching for latest run of '${WORKFLOW_FILE}' on branch '${BRANCH}'"
+
+LATEST_RUN_ID=$(
+    gh run list  \
+        --repo "microsoft/LightGBM" \
+        --branch "${BRANCH}" \
+        --workflow "${WORKFLOW_FILE}" \
+        --json 'createdAt,databaseId' \
+        --jq 'sort_by(.createdAt) | reverse | .[0] | .databaseId'
+)
+
+if [[ "${LATEST_RUN_ID}" == "" ]]; then
+    echo "No runs of '${WORKFLOW_FILE}' found on branch '${BRANCH}'"
+    exit 0
+fi
+
+echo "Checking status of workflow run '${LATEST_RUN_ID}'"
+gh run view \
+    --repo "microsoft/LightGBM" \
+    --exit-status \
+    "${LATEST_RUN_ID}"

.ci/get-workflow-status.py

@@ -31,7 +31,7 @@ pr_branch=$3
 runs=$(
   curl -sL \
     -H "Accept: application/vnd.github.v3+json" \
-    -H "Authorization: token $SECRETS_WORKFLOW" \
+    -H "Authorization: token ${GITHUB_TOKEN}" \
     "${GITHUB_API_URL}/repos/microsoft/LightGBM/actions/workflows/${workflow_id}/runs?event=pull_request&branch=${pr_branch}" | \
   jq '.workflow_runs'
 )
@@ -42,6 +42,6 @@ if [[ $(echo "${runs}" | jq 'length') -gt 0 ]]; then
   curl -sL \
     -X POST \
     -H "Accept: application/vnd.github.v3+json" \
-    -H "Authorization: token $SECRETS_WORKFLOW" \
+    -H "Authorization: token ${GITHUB_TOKEN}" \
     "${GITHUB_API_URL}/repos/microsoft/LightGBM/actions/runs/$(echo "${runs}" | jq '.[0].id')/rerun"
 fi

.ci/rerun-workflow.sh

@@ -46,8 +46,9 @@ data=$(
 )
 
 curl -sL \
+  --fail \
   -X POST \
   -H "Accept: application/vnd.github.v3+json" \
-  -H "Authorization: token $SECRETS_WORKFLOW" \
+  -H "Authorization: token ${GITHUB_TOKEN}" \
   -d "$data" \
   "${GITHUB_API_URL}/repos/microsoft/LightGBM/statuses/$sha"

.ci/set-commit-status.sh

@@ -7,28 +7,23 @@ on:
 
 jobs:
   all-optional-checks-successful:
-    timeout-minutes: 120
+    timeout-minutes: 30
     runs-on: ubuntu-latest
+    env:
+      GITHUB_TOKEN: ${{ github.token }}
     steps:
       - name: Checkout repository
         uses: actions/checkout@v5
         with:
           fetch-depth: 5
           persist-credentials: false
           submodules: false
-      - name: Check that all tests succeeded
+      - name: Check valgrind workflow
         shell: bash
         run: |
-            workflows=(
-                "R valgrind tests;r-valgrind"
-            )
-            for i in "${workflows[@]}"; do
-                workflow_name=${i%;*}
-                comment="The last reported status from workflow \"$workflow_name\" is failure."
-                comment="${comment} Commit fixes and rerun the workflow."
-                trigger_phrase=${i#*;}
-                python \
-                    "$GITHUB_WORKSPACE/.ci/get-workflow-status.py" \
-                    "$trigger_phrase" \
-                || { echo "${comment}"; exit 1; }
-            done
+            # ref: https://docs.github.com/en/actions/reference/workflows-and-actions/contexts#github-context
+            PR_BRANCH="${GITHUB_HEAD_REF:-${GITHUB_REF#refs/heads/}}"
+            echo "checking status for branch '${PR_BRANCH}'"
+            ./.ci/check-workflow-status.sh \
+                "${PR_BRANCH}" \
+                'r_valgrind.yml'

.ci/trigger-dispatch-run.sh

@@ -1,8 +1,27 @@
 name: R generate configure
 
 on:
-  repository_dispatch:
-    types: [gha_run_r_configure]
+  workflow_dispatch:
+    inputs:
+      pr-branch:
+        type: string
+        description: |
+          Branch in microsoft/LightGBM to update.
+
+permissions:
+  actions: none
+  checks: none
+  contents: write
+  deployments: none
+  discussions: none
+  id-token: write
+  issues: none
+  packages: none
+  pages: none
+  pull-requests: read
+  repository-projects: none
+  security-events: none
+  statuses: none
 
 jobs:
   r-configure:
@@ -24,18 +43,19 @@ jobs:
         uses: actions/checkout@v5
         with:
           fetch-depth: 5
-          submodules: true
+          submodules: false
           repository: microsoft/LightGBM
-          ref: "refs/heads/${{ fromJSON(github.event.client_payload.pr_branch) }}"
-          token: ${{ secrets.WORKFLOW }}
+          ref: "refs/heads/${{ inputs.pr-branch }}"
+          token: ${{ github.token }}
           persist-credentials: true
       - name: Update configure
         shell: bash
         run: ./R-package/recreate-configure.sh || exit 1
       - name: Push changes
         run: |
-          git config --global user.name "GitHub Actions Bot"
-          git config --global user.email "[email protected]"
+          # source for this user and email: https://github.com/orgs/community/discussions/160496
+          git config --global user.name "github-actions[bot]"
+          git config --global user.email "github-actions[bot]@users.noreply.github.com"
           git add "./R-package/configure"
           git commit --allow-empty -m "Auto-update configure"
           git push