Telegram nightly-fanout notifications #316
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Telegram nightly-fanout notifications | |
| # Fan-out failure notifications for nightly / weekly workflows that previously | |
| # failed silently. Triggered on `workflow_run` completion so a single job | |
| # covers every workflow in the list - keeps the diff in each workflow zero. | |
| # | |
| # Reuses the same TELEGRAM_BOT_TOKEN / TELEGRAM_CHAT_ID secrets as | |
| # `telegram-notify.yml`. No new secret required. | |
| # | |
| # Refs: #1273. | |
| # | |
| # Safety note (zizmor dangerous-triggers): this workflow uses `workflow_run` | |
| # because it must observe completion of the upstream nightly workflows. | |
| # It runs on the canonical repo only, never checks out code, never reads | |
| # fork-controlled inputs into a `run:` block, and only forwards a fixed set | |
| # of metadata fields (workflow name, conclusion, run id) to Telegram. No | |
| # attacker-controlled value reaches a shell here. | |
| on: # zizmor: ignore[dangerous-triggers] | |
| workflow_run: | |
| workflows: | |
| - "Nightly deep tests" | |
| - "eval-nightly" | |
| - "soc2-evidence-nightly" | |
| - "Adversarial Pen-Test Suite" | |
| - "Adapter contract drift" | |
| types: [completed] | |
| concurrency: | |
| group: notify-other-${{ github.event.workflow_run.name }}-${{ github.event.workflow_run.head_branch }} | |
| cancel-in-progress: true | |
| permissions: | |
| contents: read | |
| actions: read | |
| jobs: | |
| notify: | |
| # Notify on anything that isn't a clean pass or an explicit skip. This | |
| # catches `failure`, `cancelled`, `timed_out`, `action_required`, and | |
| # `startup_failure` - every operator-actionable outcome. | |
| if: >- | |
| github.event.workflow_run.conclusion != 'success' && | |
| github.event.workflow_run.conclusion != 'skipped' && | |
| github.event.workflow_run.conclusion != 'neutral' | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 5 | |
| steps: | |
| - name: Harden runner (audit mode) | |
| uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 | |
| with: | |
| egress-policy: audit | |
| - name: Send Telegram notification for nightly failure | |
| env: | |
| TELEGRAM_BOT_TOKEN: ${{ secrets.TELEGRAM_BOT_TOKEN }} | |
| TELEGRAM_CHAT_ID: ${{ secrets.TELEGRAM_CHAT_ID }} | |
| WORKFLOW_NAME: ${{ github.event.workflow_run.name }} | |
| STATUS: ${{ github.event.workflow_run.conclusion }} | |
| BRANCH: ${{ github.event.workflow_run.head_branch }} | |
| SHA: ${{ github.event.workflow_run.head_sha }} | |
| HTML_URL: ${{ github.event.workflow_run.html_url }} | |
| RUN_ID: ${{ github.event.workflow_run.id }} | |
| EVENT: ${{ github.event.workflow_run.event }} | |
| REPO: ${{ github.repository }} | |
| run: | | |
| set -euo pipefail | |
| if [ -z "${TELEGRAM_BOT_TOKEN:-}" ] || [ -z "${TELEGRAM_CHAT_ID:-}" ]; then | |
| echo "Telegram not configured; skipping." | |
| exit 0 | |
| fi | |
| SHORT_SHA="${SHA:0:7}" | |
| case "${STATUS}" in | |
| failure) ICON="❌" ;; | |
| cancelled) ICON="🚫" ;; | |
| timed_out) ICON="⏱️" ;; | |
| action_required) ICON="⚠️" ;; | |
| startup_failure) ICON="💥" ;; | |
| *) ICON="⚠️" ;; | |
| esac | |
| TITLE="${ICON} ${WORKFLOW_NAME}: ${STATUS} (${EVENT})" | |
| TEXT="${TITLE} | |
| Branch: ${BRANCH:-?} | |
| Commit: ${SHORT_SHA} | |
| ${HTML_URL}" | |
| KEYBOARD='{"inline_keyboard":[[{"text":"🔄 View Run","url":"'"${HTML_URL}"'"},{"text":"📋 Rerun","url":"https://github.com/'"${REPO}"'/actions/runs/'"${RUN_ID}"'/rerun"}]]}' | |
| curl -sS -X POST "https://api.telegram.org/bot${TELEGRAM_BOT_TOKEN}/sendMessage" \ | |
| -H "Content-Type: application/json" \ | |
| -d "{\"chat_id\":\"${TELEGRAM_CHAT_ID}\",\"text\":\"${TEXT}\",\"reply_markup\":${KEYBOARD}}" \ | |
| || echo "Telegram notification failed" |