PR review companion #73964
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Things to do and run after a "tests" job in "PR Test" workflow has completed successfully. | |
| # Note, as of right now, this workflow does a bunch of things. It might be | |
| # worth considering to break it up so there's a dedicated post-PR | |
| # workflow just to posting PR comments about flaws, for example. | |
| name: PR review companion | |
| on: | |
| workflow_run: | |
| workflows: | |
| - "PR Test" | |
| types: | |
| - completed | |
| workflow_call: | |
| secrets: | |
| GCP_PROJECT_NAME: | |
| required: true | |
| WIP_PROJECT_ID: | |
| required: true | |
| permissions: | |
| # Download artifact. | |
| actions: read | |
| # Post comment in pull request. | |
| pull-requests: write | |
| # Authenticate with GCP. | |
| id-token: write | |
| # Report commit status. | |
| statuses: write | |
| jobs: | |
| identify-pr: | |
| if: github.event.workflow_run.conclusion == 'success' | |
| runs-on: ubuntu-latest | |
| outputs: | |
| pr-number: ${{ steps.identify-pr.outputs.number }} | |
| steps: | |
| - name: Identify PR | |
| id: identify-pr | |
| run: | | |
| PR_NUMBER=$(gh api "repos/$HEAD_REPO/commits/$HEAD_SHA/pulls" --jq ".[] | select(.base.repo.full_name == \"$BASE_REPO\") | .number") | |
| echo "number=$PR_NUMBER" >> $GITHUB_OUTPUT | |
| env: | |
| BASE_REPO: ${{ github.repository }} | |
| GITHUB_TOKEN: ${{ github.token }} | |
| HEAD_REPO: ${{ github.event.workflow_run.head_repository.full_name }} | |
| HEAD_SHA: ${{ github.event.workflow_run.head_sha }} | |
| review: | |
| needs: identify-pr | |
| environment: review | |
| runs-on: ubuntu-latest | |
| if: needs.identify-pr.outputs.pr-number | |
| env: | |
| PR_NUMBER: ${{ needs.identify-pr.outputs.pr-number }} | |
| PREFIX: pr${{ needs.identify-pr.outputs.pr-number }} | |
| STATUS_PATH: repos/${{ github.repository }}/statuses/${{ github.event.workflow_run.head_sha }} | |
| STATUS_CONTEXT: pr-review-companion | |
| STATUS_TARGET: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }} | |
| steps: | |
| - name: Download artifact | |
| uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 | |
| with: | |
| pattern: build | |
| path: build | |
| merge-multiple: true | |
| github-token: ${{ secrets.GITHUB_TOKEN }} | |
| run-id: ${{ github.event.workflow_run.id }} | |
| - name: Check for artifacts | |
| id: check | |
| if: hashFiles('build/') != '' | |
| run: echo "HAS_ARTIFACT=true" >> "$GITHUB_OUTPUT" | |
| - name: Mark status as pending | |
| if: steps.check.outputs.HAS_ARTIFACT | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| gh api "$STATUS_PATH" \ | |
| -f state=pending \ | |
| -f context="$STATUS_CONTEXT" \ | |
| -f description='Review deployment pending' \ | |
| -f target_url="$STATUS_TARGET" | |
| - name: Authenticate with GCP | |
| if: steps.check.outputs.HAS_ARTIFACT | |
| uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0 | |
| with: | |
| token_format: access_token | |
| service_account: deploy-mdn-review-content@${{ secrets.GCP_PROJECT_NAME }}.iam.gserviceaccount.com | |
| workload_identity_provider: projects/${{ secrets.WIP_PROJECT_ID }}/locations/global/workloadIdentityPools/github-actions/providers/github-actions | |
| - name: Setup gcloud | |
| if: steps.check.outputs.HAS_ARTIFACT | |
| uses: google-github-actions/setup-gcloud@aa5489c8933f4cc7a4f7d45035b3b1440c9c10db # v3.0.1 | |
| - name: Upload to GCS | |
| if: steps.check.outputs.HAS_ARTIFACT | |
| uses: google-github-actions/upload-cloud-storage@6397bd7208e18d13ba2619ee21b9873edc94427a # v3.0.0 | |
| with: | |
| path: "build" | |
| destination: "${{ vars.GCP_BUCKET_NAME }}/${{ env.PREFIX }}" | |
| resumable: false | |
| headers: |- | |
| cache-control: no-store | |
| parent: false | |
| concurrency: 500 | |
| process_gcloudignore: false | |
| - name: Checkout (mdn/content) | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| if: steps.check.outputs.HAS_ARTIFACT | |
| with: | |
| path: content | |
| persist-credentials: false | |
| - name: Setup (mdn/content) | |
| uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0 | |
| if: steps.check.outputs.HAS_ARTIFACT | |
| with: | |
| node-version-file: "content/.nvmrc" | |
| package-manager-cache: false | |
| - name: Install (mdn/content) | |
| if: steps.check.outputs.HAS_ARTIFACT | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| working-directory: content | |
| run: npm ci | |
| - name: Analyze PR build | |
| if: steps.check.outputs.HAS_ARTIFACT | |
| env: | |
| BUILD_OUT_ROOT: ${{ github.workspace }}/build | |
| working-directory: content | |
| run: | | |
| echo "Pull request:" | |
| echo "https://github.com/mdn/content/pull/$PR_NUMBER" | |
| node scripts/analyze-pr-build.js \ | |
| --prefix="$PREFIX" \ | |
| --analyze-flaws \ | |
| --analyze-dangerous-content \ | |
| --github-token="${{ secrets.GITHUB_TOKEN }}" \ | |
| --repo=$GITHUB_REPOSITORY \ | |
| --pr-number="$PR_NUMBER" \ | |
| --diff-file=$BUILD_OUT_ROOT/DIFF \ | |
| $BUILD_OUT_ROOT | |
| - name: Mark status as success | |
| if: steps.check.outputs.HAS_ARTIFACT && success() | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| gh api "$STATUS_PATH" \ | |
| -f state=success \ | |
| -f context="$STATUS_CONTEXT" \ | |
| -f description='Review deployment succeeded' \ | |
| -f target_url="$STATUS_TARGET" | |
| - name: Mark status as failure | |
| if: steps.check.outputs.HAS_ARTIFACT && failure() | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| gh api "$STATUS_PATH" \ | |
| -f state=failure \ | |
| -f context="$STATUS_CONTEXT" \ | |
| -f description='Review deployment failed' \ | |
| -f target_url="$STATUS_TARGET" |