parsons/.github/workflows/coverage.yml at 774226c4a4432c19fefefeb4d4ea30311975c4bb · move-coop/parsons · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
name: Post coverage comment

on:
    workflow_run:
        workflows: ["Python checks"]
        types:
            - completed

permissions:
    contents: read

jobs:
    test:
        name: Run tests & display coverage

        runs-on: ubuntu-latest
        if: github.event.workflow_run.event == 'pull_request' && github.event.workflow_run.conclusion == 'success'

        permissions:
            # Gives the action the necessary permissions for publishing new
            # comments in pull requests.
            pull-requests: write
            # Gives the action the necessary permissions for editing existing
            # comments (to avoid publishing multiple comments in the same PR)
            contents: write
            # Gives the action the necessary permissions for looking up the
            # workflow that launched this workflow, and download the related
            # artifact that contains the comment to be published
            actions: read

        steps:
            # DO NOT run actions/checkout here, for security reasons
            # For details, refer to https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
            - uses: step-security/harden-runner@58077d3c7e43986b6b15fba718e8ea69e387dfcc
              with:
                disable-sudo: false
                egress-policy: audit

            - uses: py-cov-action/python-coverage-comment-action@7188638f871f721a365d644f505d1ff3df20d683  # v3.35
              with:
                  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
                  GITHUB_PR_RUN_ID: ${{ github.event.workflow_run.id }}