# Modelled after https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ name: Post PR Suggestions on: workflow_run: workflows: ["PR Suggestions"] types: - completed permissions: contents: read jobs: comment: permissions: pull-requests: write runs-on: ubuntu-22.04 if: > ${{ github.event.workflow_run.event == 'pull_request' && github.event.workflow_run.conclusion == 'success' }} steps: - name: 'Download artifact' uses: actions/github-script@v6 with: script: | var artifacts = await github.rest.actions.listWorkflowRunArtifacts({ owner: context.repo.owner, repo: context.repo.repo, run_id: ${{github.event.workflow_run.id }}, }); var matchArtifact = artifacts.data.artifacts.filter((artifact) => { return artifact.name == "pr" })[0]; var download = await github.rest.actions.downloadArtifact({ owner: context.repo.owner, repo: context.repo.repo, artifact_id: matchArtifact.id, archive_format: 'zip', }); var fs = require('fs'); fs.writeFileSync('${{github.workspace}}/pr.zip', Buffer.from(download.data)); - run: unzip pr.zip - uses: actions/github-script@v6 with: script: | const { promises: fs } = require('fs') const event = (await fs.readFile('event', 'utf8')).trim() const body = (await fs.readFile('body', 'utf8')).trim() const issue_number = Number(await fs.readFile('./NR')); var req = { owner: context.repo.owner, pull_number: issue_number, repo: context.repo.repo, event: event }; if (body !== "") { req.body = body; } await github.rest.pulls.createReview(req);