Automatic commenting on a PR

Hi folks.

I am trying to extend what I described here to automatic commenting on the latest PR I would create.

Here’s what I have done so far -

  • Created this script that would create the comment with the PR and Issues GitHub APIs.
  • Wrote this sample workflow that would execute that script to facilitate the commenting.

With this setup, the create_pr_comment.py script is failing to get executed. -

image

It’s very weird to me that requests is unavailable in standard Python setup. Or am I missing something out?

Edit: I was able to resolve the issue and I can now see automatic comments on the latest PR -

Is it possible to have a GitHub bot make this comment? I tried the following, but it did not work out -

pip install requests
git config --global user.name github-actions[bot]
git config --global user.email 41898282+github-actions[bot]@users.noreply.github.com
python create_pr_comment.py

According to Permissions for the GITHUB_TOKEN documentation the GITHUB_TOKEN has write permission on issues, so you should be able to use that instead of your PAT. The git config doesn’t have anything to do with the Github API.

Two other things:

  • Depending on who’s pull requests your workflow should comment on, you might want to use pull_request_target instead of pull_request to trigger your workflow. For pull_request events from forks the rights associated with the GITHUB_TOKEN are heavily restricted and secrets unavailable, because the workflow itself could have been modified, possibly maliciously.

  • You’re passing the token to your script on the command line. This is a security risk: If someone could check the running processes on the runner (think ps xau or similar) they would be able to see and copy your token. With GITHUB_TOKEN impact would be somewhat limited, but a PAT might be exploited for a long time, if the attack isn’t noticed and the token revoked. Using env would be safer.

Thanks, @airtower-luna. I incorporated your suggestions. But I do not see any workflow to trigger. I am probably missing out on something.

Also, could you elaborate on what did you mean by env?

The linked workflow doesn’t seem to have anything to do with the one discussed above. :sweat_smile:

Use an environment variable to pass the token to your script, like so:

- run: python create_pr_comment.py
  env:
    TOKEN: ${{ secrets.GITHUB_TOKEN }}

And in your script use

os.environ['TOKEN']

to get the value. This has the advantage that the token isn’t part of the command line, where it can easily be seen by other processes. The risk that someone else is able to run commands on the runner VM is probably low, but its good to always keep this kind of thing in mind.

This is because this workflow never ran.

Here’s one you can model from:

Here’s an example of it in action:

Thank you for chiming in. But currently, I would like to use this script when pull_request_target is triggered.

I did try it but it did not run. Maybe I am missing out on something?

Hi @sayakpaul,

For event ‘pull_request_target’,
image

Which means actions/checkout will get codes from base branch by default, not the fake merge branch or PR compare branch.

If your code exists in PR compare branch, you need to specify the repo(and may be with ref), such as:

- name: Checkout tools repo
  uses: actions/checkout@v2
  with:
    repository: weide-zhou/ticket24
    ref: dev

And i also tried the workflow same as you, it works fine on my side.

My workflow is here. Please set the event ‘pull_request_target’ on your base repo and base branch, not the PR compare branch.

Thanks

1 Like

It won’t run in the PR that’s adding it. (This seems to be a discrepancy of pull_request_target vs pull_request workflows). Nor will it run against PRs that don’t have the workflow in their base state/branch (ex: when the “feature” branch is created from master [or whatever default] before it contained the workflow to be executed.)

Thanks @kingthorin for the explanation. In my case, what would you suggest?

Thanks so much for the help. @weide-zhou.

Quick question: I modified pr.yaml to use the following -

- uses: actions/checkout@v2
        with:
          repository: sayakpaul/wine
          ref: experiment-1

But the workflow still does not run it appears. Anything I am missing out on?

If the action/github-script based solution works for your then commit it directly to your default branch (or create a PR and merge it) then open another PR to see that it works…

How would I pass an environmental variable to the body parameter of github.issues.createComment?

I have loaded some content from a file into a variable and I would like to pass that to body. Here’s the workflow file for your perusal.

name: PR Comment

on:
  pull_request:

jobs:
  PR-Comment:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v2
    - name: Get run URL
      run: |
        body=$(<run.txt)
    - name: PR Comment
      uses: actions/github-script@v2
      with:
        github-token: ${{secrets.GITHUB_TOKEN}}
        script: |
          github.issues.createComment({
            issue_number: ${{ github.event.number }},
            owner: context.repo.owner,
            repo: context.repo.repo,
            body: body
          })

Hi @sayakpaul,

Your action cannot get the var $body since they are in separated steps.
You can get the run.txt content and set it as env, and send it to the action as parameter. Fixed as below:

  PR-Comment:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v2
    - name: get the run URL
      run: |
        echo "::set-env name=body::$(<run.txt)"   # set it as env
    - name: PR Comment
      uses: actions/github-script@v2
      with:
        github-token: ${{secrets.GITHUB_TOKEN}}
        script: |
          github.issues.createComment({
            issue_number: ${{ github.event.number }},
            owner: context.repo.owner,
            repo: context.repo.repo,
            body: '${{env.body}}'   # use '${{env.xxx}}' as the parameter
          })

Thanks

Another useful lesson. Thank you so much.