Permissions + Comment Fix

2026-05-26 13:51:13 +00:00 · 2024-08-12 16:20:49 -07:00
parent 6410b2062c
commit 2968e74714
1 changed files with 29 additions and 11 deletions
@@ -1,8 +1,8 @@
 name: PR Security Scan
 on:
-  pull_request:
-    types: [opened, synchronize, reopened]
-  workflow_dispatch:
+  pull_request_target:
+    branches: ['**']
+
 jobs:
  scan:
    runs-on: ubuntu-latest
@@ -12,6 +12,7 @@ jobs:
      with:
        fetch-depth: 0
        submodules: 'recursive'
+
    - name: Build the Docker image
      uses: docker/build-push-action@v5
      with: 
@@ -19,6 +20,7 @@ jobs:
        push: false
        load: true
        tags: pr_image:${{ github.sha }}
+
    - name: Run Trivy vulnerability scanner on image
      uses: aquasecurity/trivy-action@0.20.0
      with:
@@ -26,6 +28,7 @@ jobs:
        format: 'json'
        output: 'trivy-image-results.json'
        severity: 'CRITICAL,HIGH'
+
    - name: Run Trivy vulnerability scanner on source code
      uses: aquasecurity/trivy-action@0.20.0
      with:
@@ -34,10 +37,12 @@ jobs:
        format: 'json'
        output: 'trivy-fs-results.json'
        severity: 'CRITICAL,HIGH'
-    - name: Process and post Trivy scan results
+
+    - name: Process Trivy scan results
+      id: process-results
      uses: actions/github-script@v7
      with:
-        github-token: ${{secrets.GITHUB_TOKEN}}
+        github-token: ${{ secrets.GITHUB_TOKEN }}
        script: |
          const fs = require('fs');
          let commentBody = '## Security Scan Results for PR\n\n';
@@ -79,9 +84,22 @@ jobs:
            commentBody += 'Please contact the core team for assistance.';
          }
          
-          github.rest.issues.createComment({
-            issue_number: context.issue.number,
-            owner: context.repo.owner,
-            repo: context.repo.repo,
-            body: commentBody
-          });
+          core.setOutput('comment-body', commentBody);
+
+    - name: Find Comment
+      uses: peter-evans/find-comment@v3
+      id: fc
+      with:
+        token: ${{ secrets.GITHUB_TOKEN }}
+        issue-number: ${{ github.event.pull_request.number }}
+        comment-author: 'github-actions[bot]'
+        body-includes: Security Scan Results for PR
+
+    - name: Create or update comment
+      uses: peter-evans/create-or-update-comment@v3
+      with:
+        token: ${{ secrets.GITHUB_TOKEN }}
+        issue-number: ${{ github.event.pull_request.number }}
+        comment-id: ${{ steps.fc.outputs.comment-id }}
+        body: ${{ steps.process-results.outputs.comment-body }}
+        edit-mode: replace