Extend awards action

[Scroogey-SN]

Description

Implements #1849

Pass ${{ github }} through env var GITHUB_CONTEXT to the script instead of passing it on the command line.

Tested with various PR body texts (backticks, single quotes, double quote, new lines, unicode, etc.) and multiple PR merge methods (squash, merge, etc.).

[Scroogey-SN]

Security hardening for GitHub Actions covers this in detail.

[huumn]

It failed again but it looks related to repo permissions. I'm not sure what needs to change.

[Scroogey-SN]

I'll check.

[Scroogey-SN]

It seems the permission can be set on enterprise, organization, and repository level:

https://stackoverflow.com/questions/72376229/github-actions-is-not-permitted-to-create-or-approve-pull-requests-createpullre

But you previously posted a screenshot showing it enabled in the repo, so it might not be this.

[Scroogey-SN]

As per Modifying the permissions for the GITHUB_TOKEN you can see the permissions of the token in the Actions log:

You have 'read' for everything, while my private test repo shows 'write' there.

The link above explains how this can be changed in enterprise/organization levels.

We can try to add a permissions: line in the .yml.

[Scroogey-SN]

Check this first: https://docs.github.com/en/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#configuring-the-default-github_token-permissions

If it is restricted, set to permissive. If it's already permissive, adding a permission: line to the .yml would be next to try:

In .github/workflows/extend-awards.yml, add a permissions: line right before the jobs: line

permissions: write-all
jobs:

[huumn]

Both the repo and the org have read/write enabled. It was the first thing I checked. I guess we need the yaml thing.