diff --git a/.github/actions/pr_comment/action.yml b/.github/actions/pr_comment/action.yml deleted file mode 100644 index c8e89e2df..000000000 --- a/.github/actions/pr_comment/action.yml +++ /dev/null @@ -1,59 +0,0 @@ -name: "Add or Update Comment" -description: "Adds a comment or updates it based on the given text id" - -inputs: - github-token: - description: "Github token associated with the request" - required: true - commenter: - description: "The commenter identity" - required: true - comment-id: - description: "The text uniquely identifying the comment to update" - required: true - comment-file: - description: "The file containing the comment in HTML format" - required: true - -runs: - using: composite - steps: - - name: Add or Update GitHub comment - uses: actions/github-script@v5 - with: - github-token: ${{ inputs.github-token }} - script: | - const fs = require('fs'); - const comment_id = "${{ inputs.comment-id }}"; - const commenter = "${{ inputs.commenter }}" - const new_comment = fs.readFileSync("${{ inputs.comment-file }}", 'utf8'); - - // List all comments in the issue - const comments = await github.rest.issues.listComments({ - owner: context.repo.owner, - repo: context.repo.repo, - issue_number: context.issue.number - }); - - const id = `` - const content = `${id} \n 🔧 Report generated by ${commenter}\n${new_comment}` - // Find the comment with the search text - const comment = comments.data.find(c => c.body.includes(id)); - - if (comment) { - // Update the comment - await github.rest.issues.updateComment({ - owner: context.repo.owner, - repo: context.repo.repo, - comment_id: comment.id, - body: content - }); - } else { - // Add a new comment - await github.rest.issues.createComment({ - owner: context.repo.owner, - repo: context.repo.repo, - issue_number: context.issue.number, - body: content - }); - } \ No newline at end of file diff --git a/.github/actions/upsert-pr-comment/action.yml b/.github/actions/upsert-pr-comment/action.yml new file mode 100644 index 000000000..dcaefd3ae --- /dev/null +++ b/.github/actions/upsert-pr-comment/action.yml @@ -0,0 +1,57 @@ +name: "Upsert PR Comment with Octo-STS" +description: > + Exchanges OIDC for an Octo-STS GitHub-App token and + creates or updates a single comment on the PR. + +inputs: + body-file: + description: "Path to file whose contents become the comment body" + required: true + repo: # optional; defaults to triggering repo + description: "Repository (owner/repo)." + required: false + pr-number: # optional; defaults to triggering PR + description: "Pull-request number." + required: false + +runs: + using: "composite" + steps: + # 1. Get installation token from DD-Octo-STS + - name: Obtain Octo-STS token + id: octo-sts + uses: DataDog/dd-octo-sts-action@08f2144903ced3254a3dafec2592563409ba2aa0 # v1.0.1 + with: + audience: dd-octo-sts + scope: DataDog/java-profiler + policy: self.pr-comment + + # 2. Upsert the comment + - name: Upsert PR comment + env: + GH_TOKEN: ${{ steps.octo-sts.outputs.token }} + BODY_FILE: ${{ inputs['body-file'] }} + REPO: ${{ inputs.repo || github.repository }} + PR: ${{ inputs['pr-number'] || github.event.pull_request.number }} + shell: bash + run: | + if [[ -s "$BODY_FILE" ]]; then + set -e + # find last comment by this actor + # first, build a jq filter that embeds the actor’s login + filter=".[] | select(.user.login == \"${GITHUB_ACTOR}\") | .id" + cid=$(gh api "repos/$REPO/issues/$PR/comments?per_page=100" \ + --jq "${filter}" | tail -n1) + + if [[ -n "$cid" ]]; then + gh api --method PATCH "repos/$REPO/issues/comments/$cid" \ + --raw-field body="$(< "$BODY_FILE")" + echo "✏️ Updated comment $cid" + else + gh api --method POST "repos/$REPO/issues/$PR/comments" \ + --raw-field body="$(< "$BODY_FILE")" + echo "💬 Created new comment" + fi + else + echo "⚠️ Skipping empty comment" + fi diff --git a/.github/workflows/codecheck.yml b/.github/workflows/codecheck.yml index a5b16bb5d..05ded44b2 100644 --- a/.github/workflows/codecheck.yml +++ b/.github/workflows/codecheck.yml @@ -6,11 +6,13 @@ concurrency: on: pull_request: + types: [opened, synchronize, reopened] permissions: contents: read pull-requests: write actions: read + id-token: write jobs: scan-build: @@ -46,13 +48,10 @@ jobs: id: read-report run: | find ddprof-lib/build/reports/scan-build -name 'index.html' | xargs -I {} python .github/scripts/python_utils.py scanbuild_cleanup {} ${HEAD_REF} > comment.html - - name: Post or update PR comment - uses: ./.github/actions/pr_comment + - name: Comment on PR + uses: ./.github/actions/upsert-pr-comment with: - github-token: ${{ secrets.GITHUB_TOKEN }} - comment-id: "scan-build" - commenter: "pr-comment-scanbuild" - comment-file: 'comment.html' + body-file: comment.html cppcheck: if: needs.check-for-pr.outputs.skip != 'true' @@ -90,13 +89,11 @@ jobs: path: | report.html report.xml - - name: Post or update PR comment - uses: ./.github/actions/pr_comment + - name: Comment on PR + uses: ./.github/actions/upsert-pr-comment with: - github-token: ${{ secrets.GITHUB_TOKEN }} - comment-id: "cppcheck" - commenter: "pr-comment-cppcheck" - comment-file: 'comment.html' + body-file: comment.html + codeql: if: needs.check-for-pr.outputs.skip != 'true' runs-on: ubuntu-latest