switch to more secure split PR comment approach

mashehu · mashehu · commit 6ab832157228 · 2026-06-23T17:32:20.000+02:00
diff --git a/.github/workflows/branch.yml b/.github/workflows/branch.yml
@@ -2,8 +2,11 @@ name: nf-core branch protection
 # This workflow is triggered on PRs to main branch on the repository
 # It fails when someone tries to make a PR against the nf-core `main` branch instead of `dev`
 on:
-  pull_request_target:
-    branches: [main]
+  pull_request:
+    branches:
+      - main
+
+permissions: {}
 
 jobs:
   test:
@@ -12,32 +15,47 @@ jobs:
       # PRs to the nf-core repo main branch are only ok if coming from the nf-core repo `dev` or any `patch` branches
       - name: Check PRs
         if: github.repository == 'nf-core/tools'
+        env:
+          HEAD_REPO: ${{ github.event.pull_request.head.repo.full_name }}
         run: |
-          { [[ ${{github.event.pull_request.head.repo.full_name}} == nf-core/tools ]] && [[ $GITHUB_HEAD_REF == "dev" ]]; } || [[ $GITHUB_HEAD_REF == "patch" ]]
+          { [[ "$HEAD_REPO" == "nf-core/tools" ]] && [[ "$GITHUB_HEAD_REF" == "dev" ]]; } || [[ "$GITHUB_HEAD_REF" == "patch" ]]
 
-      # If the above check failed, post a comment on the PR explaining the failure
-      - name: Post PR comment
+      # If the above check failed, build a comment to be posted by the shared poster workflow
+      - name: Build PR comment
         if: failure()
-        uses: mshick/add-pr-comment@8e4927817251f1ff60c001f04568532b38e0b4a0 # v3
-        with:
-          message: |
-            ## This PR is against the `main` branch :x:
+        env:
+          PR_NUMBER: ${{ github.event.pull_request.number }}
+          BASE_REF: ${{ github.event.pull_request.base.ref }}
+          HEAD_REPO: ${{ github.event.pull_request.head.repo.full_name }}
+          PR_USER: ${{ github.event.pull_request.user.login }}
+        run: |
+          mkdir -p pr-comment
+          echo "$PR_NUMBER" > pr-comment/pr_number.txt
+          echo "branch" > pr-comment/header.txt
+          cat > pr-comment/comment.md <<EOF
+          ## This PR is against the \`${BASE_REF}\` branch :x:
 
-            * Do not close this PR
-            * Click _Edit_ and change the `base` to `dev`
-            * This CI test will remain failed until you push a new commit
+          * Do not close this PR
+          * Click _Edit_ and change the \`base\` to \`dev\`
+          * This CI test will remain failed until you push a new commit
 
-            ---
+          ---
 
-            Hi @${{ github.event.pull_request.user.login }},
+          Hi @${PR_USER},
 
-            It looks like this pull-request is has been made against the [${{github.event.pull_request.head.repo.full_name }}](https://github.com/${{github.event.pull_request.head.repo.full_name }}) `main` branch.
-            The `main` branch on nf-core repositories should always contain code from the latest release.
-            Because of this, PRs to `main` are only allowed if they come from the [${{github.event.pull_request.head.repo.full_name }}](https://github.com/${{github.event.pull_request.head.repo.full_name }}) `dev` branch.
+          It looks like this pull-request is has been made against the [${HEAD_REPO}](https://github.com/${HEAD_REPO}) ${BASE_REF} branch.
+          The ${BASE_REF} branch on nf-core repositories should always contain code from the latest release.
+          Because of this, PRs to ${BASE_REF} are only allowed if they come from the [${HEAD_REPO}](https://github.com/${HEAD_REPO}) \`dev\` branch.
 
-            You do not need to close this PR, you can change the target branch to `dev` by clicking the _"Edit"_ button at the top of this page.
-            Note that even after this, the test will continue to show as failing until you push a new commit.
+          You do not need to close this PR, you can change the target branch to \`dev\` by clicking the _"Edit"_ button at the top of this page.
+          Note that even after this, the test will continue to show as failing until you push a new commit.
 
-            Thanks again for your contribution!
-          repo-token: ${{ secrets.GITHUB_TOKEN }}
-          allow-repeats: false
+          Thanks again for your contribution!
+          EOF
+
+      - name: Upload PR comment artifact
+        if: failure()
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
+        with:
+          name: pr-comment
+          path: pr-comment/
diff --git a/.github/workflows/pr-comment.yml b/.github/workflows/pr-comment.yml
@@ -0,0 +1,66 @@
+name: Post PR comment
+# Shared, privileged comment poster.
+#
+# This is the single workflow that runs with a write token. It is triggered
+# after any of the listed "producer" workflows complete on a pull request.
+# Each producer runs untrusted PR code (if any) with a read-only token and
+# uploads a `pr-comment` artifact describing the comment to post; this workflow
+# only ever reads that plain-text artifact, so no PR code is executed here.
+#
+# Artifact contract (uploaded by producers under the name `pr-comment`):
+#   pr_number.txt  - the pull request number
+#   header.txt     - sticky-comment identifier (keeps comment types separate)
+#   comment.md     - the Markdown body (omit the file to post nothing)
+
+on:
+  workflow_run:
+    workflows:
+      - "nf-core branch protection"
+
+permissions:
+  actions: read
+  contents: read
+  pull-requests: write
+
+jobs:
+  post-comment:
+    runs-on: ubuntu-latest
+    # Only act on runs that were triggered by a pull request.
+    if: github.event.workflow_run.event == 'pull_request'
+    steps:
+      - name: Download PR comment artifact
+        uses: dawidd6/action-download-artifact@b6e2e70617bc3265edd6dab6c906732b2f1ae151 # v21
+        with:
+          run_id: ${{ github.event.workflow_run.id }}
+          name: pr-comment
+          if_no_artifact_found: ignore
+
+      - name: Read comment metadata
+        id: meta
+        run: |
+          # No comment body means there is nothing to post.
+          [ -f pr-comment/comment.md ] || exit 0
+
+          pr_number=$(cat pr-comment/pr_number.txt)
+          header=$(cat pr-comment/header.txt)
+
+          # Guard against anything unexpected ending up in the PR number.
+          case "$pr_number" in
+            ''|*[!0-9]*)
+              echo "Invalid PR number: '$pr_number'"
+              exit 1
+              ;;
+          esac
+
+          echo "pr_number=$pr_number" >> "$GITHUB_OUTPUT"
+          echo "header=$header" >> "$GITHUB_OUTPUT"
+          echo "post=true" >> "$GITHUB_OUTPUT"
+
+      - name: Post PR comment
+        if: steps.meta.outputs.post == 'true'
+        uses: marocchino/sticky-pull-request-comment@70d2764d1a7d5d9560b100cbea0077fc8f633987 # v3
+        with:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          number: ${{ steps.meta.outputs.pr_number }}
+          header: ${{ steps.meta.outputs.header }}
+          path: pr-comment/comment.md
diff --git a/nf_core/pipeline-template/.github/workflows/branch.yml b/nf_core/pipeline-template/.github/workflows/branch.yml
@@ -2,45 +2,61 @@ name: nf-core branch protection
 # This workflow is triggered on PRs to `main`/`master` branch on the repository
 # It fails when someone tries to make a PR against the nf-core `main`/`master` branch instead of `dev`
 on:
-  pull_request_target:
+  pull_request:
     branches:
       - main
       - master
 
+permissions: {}
+
 jobs:
   test:
     runs-on: ubuntu-latest
     steps:
       # PRs to the nf-core repo main/master branch are only ok if coming from the nf-core repo `dev` or any `patch` branches
       - name: Check PRs
         if: github.repository == '{{ name }}'
+        env:
+          HEAD_REPO: ${{ github.event.pull_request.head.repo.full_name }}
         run: |
-          { [[ {% raw %}${{github.event.pull_request.head.repo.full_name }}{% endraw %} == {{ name }} ]] && [[ $GITHUB_HEAD_REF == "dev" ]]; } || [[ $GITHUB_HEAD_REF == "patch" ]]
+          { [[ "$HEAD_REPO" == {{ name }} ]] && [[ $GITHUB_HEAD_REF == "dev" ]]; } || [[ $GITHUB_HEAD_REF == "patch" ]]
 
-      # If the above check failed, post a comment on the PR explaining the failure {%- raw %}
-      # NOTE - this doesn't currently work if the PR is coming from a fork, due to limitations in GitHub actions secrets
-      - name: Post PR comment
+      # If the above check failed, build a comment to be posted by the shared poster workflow
+      - name: Build PR comment
         if: failure()
-        uses: mshick/add-pr-comment@8e4927817251f1ff60c001f04568532b38e0b4a0 # v3
-        with:
-          message: |
-            ## This PR is against the `${{github.event.pull_request.base.ref}}` branch :x:
+        env:
+          PR_NUMBER: ${{ github.event.pull_request.number }}
+          BASE_REF: ${{ github.event.pull_request.base.ref }}
+          HEAD_REPO: ${{ github.event.pull_request.head.repo.full_name }}
+          PR_USER: ${{ github.event.pull_request.user.login }}
+        run: |
+          mkdir -p pr-comment
+          echo "$PR_NUMBER" > pr-comment/pr_number.txt
+          echo "branch" > pr-comment/header.txt
+          cat > pr-comment/comment.md <<EOF
+          ## This PR is against the \`${BASE_REF}\` branch :x:
 
-            * Do not close this PR
-            * Click _Edit_ and change the `base` to `dev`
-            * This CI test will remain failed until you push a new commit
+          * Do not close this PR
+          * Click _Edit_ and change the \`base\` to \`dev\`
+          * This CI test will remain failed until you push a new commit
 
-            ---
+          ---
 
-            Hi @${{ github.event.pull_request.user.login }},
+          Hi @${PR_USER},
 
-            It looks like this pull-request is has been made against the [${{github.event.pull_request.head.repo.full_name }}](https://github.com/${{github.event.pull_request.head.repo.full_name }}) ${{github.event.pull_request.base.ref}} branch.
-            The ${{github.event.pull_request.base.ref}} branch on nf-core repositories should always contain code from the latest release.
-            Because of this, PRs to ${{github.event.pull_request.base.ref}} are only allowed if they come from the [${{github.event.pull_request.head.repo.full_name }}](https://github.com/${{github.event.pull_request.head.repo.full_name }}) `dev` branch.
+          It looks like this pull-request is has been made against the [${HEAD_REPO}](https://github.com/${HEAD_REPO}) ${BASE_REF} branch.
+          The ${BASE_REF} branch on nf-core repositories should always contain code from the latest release.
+          Because of this, PRs to ${BASE_REF} are only allowed if they come from the [${HEAD_REPO}](https://github.com/${HEAD_REPO}) \`dev\` branch.
 
-            You do not need to close this PR, you can change the target branch to `dev` by clicking the _"Edit"_ button at the top of this page.
-            Note that even after this, the test will continue to show as failing until you push a new commit.
+          You do not need to close this PR, you can change the target branch to \`dev\` by clicking the _"Edit"_ button at the top of this page.
+          Note that even after this, the test will continue to show as failing until you push a new commit.
 
-            Thanks again for your contribution!
-          repo-token: ${{ secrets.GITHUB_TOKEN }}
-          allow-repeats: false {%- endraw %}
+          Thanks again for your contribution!
+          EOF
+
+      - name: Upload PR comment artifact
+        if: failure()
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
+        with:
+          name: pr-comment
+          path: pr-comment/
diff --git a/nf_core/pipeline-template/.github/workflows/linting.yml b/nf_core/pipeline-template/.github/workflows/linting.yml
@@ -74,3 +74,21 @@ jobs:
             lint_log.txt
             lint_results.md
             PR_number.txt {%- endraw %}
+
+      # Build a comment for the shared pr-comment.yml poster to publish on the PR
+      - name: Prepare PR comment
+        if: ${{ always() }}
+        env:
+          PR_NUMBER: ${{ github.event.pull_request.number }}
+        run: |
+          mkdir -p pr-comment
+          echo "$PR_NUMBER" > pr-comment/pr_number.txt
+          echo "lint" > pr-comment/header.txt
+          [ -f lint_results.md ] && cp lint_results.md pr-comment/comment.md || true
+
+      - name: Upload PR comment artifact
+        if: ${{ always() }}
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
+        with:
+          name: pr-comment
+          path: pr-comment/
diff --git a/nf_core/pipeline-template/.github/workflows/linting_comment.yml b/nf_core/pipeline-template/.github/workflows/linting_comment.yml
diff --git a/nf_core/pipeline-template/.github/workflows/pr-comment.yml b/nf_core/pipeline-template/.github/workflows/pr-comment.yml
@@ -0,0 +1,68 @@
+name: Post PR comment
+# Shared, privileged comment poster.
+#
+# This is the single workflow that runs with a write token. It is triggered
+# after any of the listed "producer" workflows complete on a pull request.
+# Each producer runs untrusted PR code (if any) with a read-only token and
+# uploads a `pr-comment` artifact describing the comment to post; this workflow
+# only ever reads that plain-text artifact, so no PR code is executed here.
+#
+# Artifact contract (uploaded by producers under the name `pr-comment`):
+#   pr_number.txt  - the pull request number
+#   header.txt     - sticky-comment identifier (keeps comment types separate)
+#   comment.md     - the Markdown body (omit the file to post nothing)
+
+on:
+  workflow_run:
+    workflows:
+      - "nf-core linting"
+      - "nf-core template version comment"
+      - "nf-core branch protection"
+
+permissions:
+  actions: read
+  contents: read
+  pull-requests: write
+
+jobs:
+  post-comment:
+    runs-on: ubuntu-latest
+    # Only act on runs that were triggered by a pull request.
+    if: github.event.workflow_run.event == 'pull_request'
+    steps:
+      - name: Download PR comment artifact
+        uses: dawidd6/action-download-artifact@b6e2e70617bc3265edd6dab6c906732b2f1ae151 # v21
+        with:
+          run_id: ${{ github.event.workflow_run.id }}
+          name: pr-comment
+          if_no_artifact_found: ignore
+
+      - name: Read comment metadata
+        id: meta
+        run: |
+          # No comment body means there is nothing to post.
+          [ -f pr-comment/comment.md ] || exit 0
+
+          pr_number=$(cat pr-comment/pr_number.txt)
+          header=$(cat pr-comment/header.txt)
+
+          # Guard against anything unexpected ending up in the PR number.
+          case "$pr_number" in
+            ''|*[!0-9]*)
+              echo "Invalid PR number: '$pr_number'"
+              exit 1
+              ;;
+          esac
+
+          echo "pr_number=$pr_number" >> "$GITHUB_OUTPUT"
+          echo "header=$header" >> "$GITHUB_OUTPUT"
+          echo "post=true" >> "$GITHUB_OUTPUT"
+
+      - name: Post PR comment
+        if: steps.meta.outputs.post == 'true'
+        uses: marocchino/sticky-pull-request-comment@70d2764d1a7d5d9560b100cbea0077fc8f633987 # v3
+        with:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          number: ${{ steps.meta.outputs.pr_number }}
+          header: ${{ steps.meta.outputs.header }}
+          path: pr-comment/comment.md
diff --git a/nf_core/pipeline-template/.github/workflows/template-version-comment.yml b/nf_core/pipeline-template/.github/workflows/template-version-comment.yml
