Add a handler to post a summary comment of Clippy lintcheck runs #1985
Conversation
Alexendoo
force-pushed
the
lintcheck-summary
branch
from
ee50dbc to
44588d3
Compare
Alexendoo
force-pushed
the
lintcheck-summary
branch
from
44588d3 to
7683dce
Compare
|
Have you thought about using a You could I think pretty easily download your artifacts and post your summary comment with it. The only tricky part would be updating the previous comment, but using a hidden marker (like triagebot does) would I think do it. |
|
A PR workflow doesn't have permission to create comments when it's from a fork but it is possible with a separate That's when I thought it might not be a good idea to allow comments of arbitrary content, but I did not fancy writing a bunch of JS in YAML |
|
Interesting, the workflow approach seems much more approachable. So if I understand correctly the motivating factor for doing this in triagebot is over security, but wouldn't adversarial PR still be able to put arbitrary data in some of the output (like name and what not)? This reminds me that in rust-lang/rust we have had for a few weeks something similar (cc @Kobzol). We have a post-merge workflow that outputs details about the workflow; granted it doesn't download artifact and runs post merge (so much less security risks). |
|
I know that posting comments from actions on PRs from forks on GitHub is a PITA, but I would like to avoid (ab)using triagebot for this, as this is a very repo-specific functionality and I think it belongs in Clippy, not in triagebot. The way I do this in the team is to run a normal |
Yeah any strings in the JSON are checked to only contain safe chars
True, I was picturing swapping the whole thing over to JS but really I only need to parse the JSON + write a file with it, the rest can still be done via FWIW I found that the PR number is available in the event, and |
|
Oh, nice, good to know about that flag! Watch out about the PR number though, I also tried to use it from that attribute, but it won't be filled on PRs from forks 🤦 |
Previously rust-lang/triagebot#1985 After a lintcheck run a comment will be created in the PR thread with an overview of the changes, example here Alexendoo#18 (comment) (plus the normal GHA debugging experience) It will only comment if there are some changes, if there's already an existing comment it will be updated for each run Similar to https://github.com/rust-lang/team/blob/master/.github/workflows/dry-run.yml The PR number is supplied by the lintcheck run, so technically someone could forge it to be annoying and edit the summaries in other threads, but that is pretty low impact and easy to deal with. There is a `pull_requests` field on the event but as @Kobzol [pointed out to me](rust-lang/triagebot#1985 (comment)) it's not populated for PRs from forks r? @flip1995 changelog: none
In Clippy we have a tool called lintcheck that we use in CI as a sort of mini crater run, this handler would post a summary of the run as a comment in the PR thread
It works by having the workflow upload a JSON artifact that the handler downloads, in Clippy we would add
JSON is used instead of uploading a markdown file so that PRs from forks can't have triagebot post arbitrary comments
For https://github.com/rust-lang/rust-clippy/actions/runs/14763277413#summary-41449477485 the following comment would be posted:
Lintcheck changes for f980edd0da51eb4da9c15eb423a7829f2c5657fc
clippy::collapsible_ifclippy::elidable_lifetime_namesclippy::extra_unused_lifetimesclippy::needless_lifetimesThis comment will be updated if you push new changes