Skip to content

Telegram nightly-fanout notifications #316

Telegram nightly-fanout notifications

Telegram nightly-fanout notifications #316

name: Telegram nightly-fanout notifications
# Fan-out failure notifications for nightly / weekly workflows that previously
# failed silently. Triggered on `workflow_run` completion so a single job
# covers every workflow in the list - keeps the diff in each workflow zero.
#
# Reuses the same TELEGRAM_BOT_TOKEN / TELEGRAM_CHAT_ID secrets as
# `telegram-notify.yml`. No new secret required.
#
# Refs: #1273.
#
# Safety note (zizmor dangerous-triggers): this workflow uses `workflow_run`
# because it must observe completion of the upstream nightly workflows.
# It runs on the canonical repo only, never checks out code, never reads
# fork-controlled inputs into a `run:` block, and only forwards a fixed set
# of metadata fields (workflow name, conclusion, run id) to Telegram. No
# attacker-controlled value reaches a shell here.
on: # zizmor: ignore[dangerous-triggers]
workflow_run:
workflows:
- "Nightly deep tests"
- "eval-nightly"
- "soc2-evidence-nightly"
- "Adversarial Pen-Test Suite"
- "Adapter contract drift"
types: [completed]
concurrency:
group: notify-other-${{ github.event.workflow_run.name }}-${{ github.event.workflow_run.head_branch }}
cancel-in-progress: true
permissions:
contents: read
actions: read
jobs:
notify:
# Notify on anything that isn't a clean pass or an explicit skip. This
# catches `failure`, `cancelled`, `timed_out`, `action_required`, and
# `startup_failure` - every operator-actionable outcome.
if: >-
github.event.workflow_run.conclusion != 'success' &&
github.event.workflow_run.conclusion != 'skipped' &&
github.event.workflow_run.conclusion != 'neutral'
runs-on: ubuntu-latest
timeout-minutes: 5
steps:
- name: Harden runner (audit mode)
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
with:
egress-policy: audit
- name: Send Telegram notification for nightly failure
env:
TELEGRAM_BOT_TOKEN: ${{ secrets.TELEGRAM_BOT_TOKEN }}
TELEGRAM_CHAT_ID: ${{ secrets.TELEGRAM_CHAT_ID }}
WORKFLOW_NAME: ${{ github.event.workflow_run.name }}
STATUS: ${{ github.event.workflow_run.conclusion }}
BRANCH: ${{ github.event.workflow_run.head_branch }}
SHA: ${{ github.event.workflow_run.head_sha }}
HTML_URL: ${{ github.event.workflow_run.html_url }}
RUN_ID: ${{ github.event.workflow_run.id }}
EVENT: ${{ github.event.workflow_run.event }}
REPO: ${{ github.repository }}
run: |
set -euo pipefail
if [ -z "${TELEGRAM_BOT_TOKEN:-}" ] || [ -z "${TELEGRAM_CHAT_ID:-}" ]; then
echo "Telegram not configured; skipping."
exit 0
fi
SHORT_SHA="${SHA:0:7}"
case "${STATUS}" in
failure) ICON="❌" ;;
cancelled) ICON="🚫" ;;
timed_out) ICON="⏱️" ;;
action_required) ICON="⚠️" ;;
startup_failure) ICON="💥" ;;
*) ICON="⚠️" ;;
esac
TITLE="${ICON} ${WORKFLOW_NAME}: ${STATUS} (${EVENT})"
TEXT="${TITLE}
Branch: ${BRANCH:-?}
Commit: ${SHORT_SHA}
${HTML_URL}"
KEYBOARD='{"inline_keyboard":[[{"text":"🔄 View Run","url":"'"${HTML_URL}"'"},{"text":"📋 Rerun","url":"https://github.com/'"${REPO}"'/actions/runs/'"${RUN_ID}"'/rerun"}]]}'
curl -sS -X POST "https://api.telegram.org/bot${TELEGRAM_BOT_TOKEN}/sendMessage" \
-H "Content-Type: application/json" \
-d "{\"chat_id\":\"${TELEGRAM_CHAT_ID}\",\"text\":\"${TEXT}\",\"reply_markup\":${KEYBOARD}}" \
|| echo "Telegram notification failed"