Add annotations to PRs from forks (#54779)

samestep · facebook-github-bot · commit 56f12e619998 · 2021-03-29T09:25:12.000-07:00
Summary: We've been using [pytorch/add-annotations-github-action](https://github.com/pytorch/add-annotations-github-action) to add annotations to PRs when they fail Flake8 or clang-tidy. Up until now, though, that functionality has only worked on PRs in pytorch/pytorch itself, not on PRs from forks. This PR fixes that using a technique from [this GitHub blog post](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/) (also linked in a comment in this diff). Pull Request resolved: #54779 Test Plan: janeyx99 and I tested this in the same GitHub repo used to test #54685 and #54693, including with PRs from forks. Reviewed By: walterddr Differential Revision: D27364777 Pulled By: samestep fbshipit-source-id: a830d372d7bb3b2529fc633b707b44f2b6cf9baa
diff --git a/.github/workflows/add_annotations.yml b/.github/workflows/add_annotations.yml
@@ -0,0 +1,57 @@
+name: Add annotations
+
+on:
+  workflow_run:
+    types:
+      - completed
+    workflows:
+      - Lint
+
+jobs:
+  annotate:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - name: flake8-py3
+            regex: '^(?<filename>.*?):(?<lineNumber>\d+):(?<columnNumber>\d+): (?<errorCode>\w+\d+) (?<errorDesc>.*)'
+          - name: clang-tidy
+            regex: '^(?<filename>.*?):(?<lineNumber>\d+):(?<columnNumber>\d+): (?<errorDesc>.*?) \[(?<errorCode>.*)\]'
+    if: github.event.workflow_run.event == 'pull_request'
+    runs-on: ubuntu-18.04
+    steps:
+      - name: Download artifact
+        uses: actions/github-script@v3
+        with:
+          # https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
+          script: |
+            const artifacts = await github.actions.listWorkflowRunArtifacts({
+               owner: context.repo.owner,
+               repo: context.repo.repo,
+               run_id: ${{ github.event.workflow_run.id }},
+            });
+            const matchArtifact = artifacts.data.artifacts.filter((artifact) => {
+              return artifact.name == '${{ matrix.name }}';
+            })[0];
+            const download = await github.actions.downloadArtifact({
+               owner: context.repo.owner,
+               repo: context.repo.repo,
+               artifact_id: matchArtifact.id,
+               archive_format: 'zip',
+            });
+            const fs = require('fs');
+            fs.writeFileSync('${{ github.workspace }}/linter-output.zip', Buffer.from(download.data));
+      - name: Unzip artifact
+        run: unzip linter-output.zip
+      - name: Get commit SHA
+        run: echo ::set-output name=commit-sha::$(cat commit-sha.txt)
+        id: get-commit-sha
+      - name: Add annotations
+        uses: pytorch/add-annotations-github-action@master
+        with:
+          check_name: ${{ matrix.name }}
+          linter_output_path: warnings.txt
+          commit_sha: ${{ steps.get-commit-sha.outputs.commit-sha }}
+          regex: ${{ matrix.regex }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -68,27 +68,25 @@ jobs:
         uses: actions/checkout@v2
         with:
           ref: ${{ github.event.pull_request.head.sha }}
-      - name: Get HEAD commit SHA
-        run: echo ::set-output name=commit-sha::$(git rev-parse HEAD)
-        id: get-commit-sha
+      - name: Prepare output dir with HEAD commit SHA
+        run: |
+          mkdir flake8-output
+          cd flake8-output
+          echo ${{ github.event.pull_request.head.sha }} > commit-sha.txt
       - name: Run flake8
         run: |
           set -eux
           pip install -r requirements-flake8.txt
           flake8 --version
-          flake8 | tee ${GITHUB_WORKSPACE}/flake8-output.txt
-      - name: Add annotations
-        uses: pytorch/add-annotations-github-action@master
+          flake8 | tee ${GITHUB_WORKSPACE}/flake8-output/warnings.txt
+      - name: Upload artifact
+        uses: actions/upload-artifact@v2
         with:
-          check_name: 'flake8-py3'
-          linter_output_path: 'flake8-output.txt'
-          commit_sha: ${{ steps.get-commit-sha.outputs.commit-sha }}
-          regex: '^(?<filename>.*?):(?<lineNumber>\d+):(?<columnNumber>\d+): (?<errorCode>\w+\d+) (?<errorDesc>.*)'
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      - name: Catch any other warnings
-        run: |
-          [ ! -s flake8-output.txt ]
+          name: flake8-py3
+          path: flake8-output/
+      - name: Fail if there were any warnings
+        run: |
+          [ ! -s flake8-output/warnings.txt ]
 
   clang-tidy:
     if: github.event_name == 'pull_request'
@@ -104,9 +102,11 @@ jobs:
         with:
           ref: ${{ github.event.pull_request.head.sha }}
           fetch-depth: 0 # deep clone, to allow us to use git merge-base
-      - name: Get HEAD commit SHA
-        run: echo ::set-output name=commit-sha::$(git rev-parse HEAD)
-        id: get-commit-sha
+      - name: Prepare output dir with HEAD commit SHA
+        run: |
+          mkdir clang-tidy-output
+          cd clang-tidy-output
+          echo ${{ github.event.pull_request.head.sha }} > commit-sha.txt
       - name: Install dependencies
         run: |
           set -eux
@@ -180,18 +180,14 @@ jobs:
             -g"-torch/csrc/deploy/interpreter/interpreter.h"  \
             -g"-torch/csrc/deploy/interpreter/interpreter_impl.h"  \
             -g"-torch/csrc/deploy/interpreter/test_main.cpp"  \
-            "$@" > ${GITHUB_WORKSPACE}/clang-tidy-output.txt
+            "$@" > ${GITHUB_WORKSPACE}/clang-tidy-output/warnings.txt
 
-          cat ${GITHUB_WORKSPACE}/clang-tidy-output.txt
-      - name: Add annotations
-        uses: pytorch/add-annotations-github-action@master
+          cat ${GITHUB_WORKSPACE}/clang-tidy-output/warnings.txt
+      - name: Upload artifact
+        uses: actions/upload-artifact@v2
         with:
-          check_name: 'clang-tidy'
-          linter_output_path: 'clang-tidy-output.txt'
-          commit_sha: ${{ steps.get-commit-sha.outputs.commit-sha }}
-          regex: '^(?<filename>.*?):(?<lineNumber>\d+):(?<columnNumber>\d+): (?<errorDesc>.*?) \[(?<errorCode>.*)\]'
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          name: clang-tidy
+          path: clang-tidy-output/
 
   cmakelint:
     runs-on: ubuntu-18.04
