E
Evan
  • pull_request trigger seems like a bad fit for the TestDriver action, since you need an API key from us. The pull_request_target could work, but I don't like the security tradeoffs
  • the workflow_run trigger seems like a good alternative, though it doesn't publish the summary back to the PR by default. The TestDriver action could be tweaked to use similar logic to this action so that the underlying PR details could be extracted, then you can use the GH API to comment the test summary back to the PR.
  • that got me thinking though that a better long-term setup is probably for your system to listen to webhook events from our build workflow and then just do everything through the GH API without using an action, similar to how CodeRabbit does things. With this setup, we wouldn't need an API key at all since everything would be done on your end. We could store the config that we currently pass to the action in a config file in our repo, which you could read to determine the script to run on your runners. We can grant you webhook access and PR write access.
  • As for the artifact download that currently needs a GITHUB_TOKEN, I get why you did this since the GH API throttles public REST calls that don't have a token attached, but with this new setup, you could use a GitHub App token instead to download the artifacts.
If we want to set up your system as a proper check without an action, you can listen to the pull_request event and push a check to the PR that resolves once a test attached to the current PR and head ref finishes
Created by Ian Jennings
·