Skip to content
Latchkey

Comment build results workflow (quasarframework/quasar)

The Comment build results workflow from quasarframework/quasar, explained and optimized by Latchkey.

B

CI health: B - good

Point runs-on at Latchkey and get job timeouts, SHA-pinned actions, self-healing for flaky steps, and up to 58% lower cost, applied automatically.

Grade your own workflow free or run it on Latchkey →
Source: quasarframework/quasar.github/workflows/comment-build-results.ymlLicense MITView source

What it does

This is the Comment build results workflow from the quasarframework/quasar repository, a real project running GitHub Actions. It is shown here with attribution under its MIT license.

Below, Latchkey shows a faster, safer version produced by its optimization engine.

The workflow

workflow (.yml)
name: Comment build results

# We are not using using a single workflow on `pull_request_target`, and have two workflows on `pull_request` -> `workflow_run`:
# https://securitylab.github.com/research/github-actions-preventing-pwn-requests/

on:
  workflow_run:
    workflows:
      - Build types
    types:
      - completed

jobs:
  check-current-build:
    runs-on: ubuntu-latest
    permissions:
      actions: read # to list the workflow runs

    if: >-
      ${{
        github.event.workflow_run.event == 'pull_request' &&
        github.event.workflow_run.conclusion == 'success'
      }}

    outputs:
      run-id: ${{ fromJSON(steps.current-workflow-run.outputs.result).id }}

    steps:
      - name: Check current types build workflow run
        id: current-workflow-run
        uses: actions/github-script@v8
        with:
          script: |
            const { data: { workflow_runs: [workflowRun] } } = await github.rest.actions.listWorkflowRuns({
              owner: context.repo.owner,
              repo: context.repo.repo,
              branch: 'dev', // TODO: Get the PR target branch to support branches other than dev
              workflow_id: 'build-types.yml',
              event: 'push',
              status: 'success',
            });

            return {
              id: workflowRun?.id || -1,
            }

  comment-build-results:
    runs-on: ubuntu-latest
    permissions:
      actions: read # to download artifacts
      pull-requests: write # to comment to the PR

    needs: check-current-build

    if: ${{ needs.check-current-build.outputs.run-id != -1 }}

    steps:
      - name: Download the current types build
        uses: actions/github-script@v8
        env:
          CURRENT_RUN_ID: ${{ needs.check-current-build.outputs.run-id }}
        with:
          script: |
            const { writeFile, unlink } = require('node:fs/promises');
            const { resolve } = require('node:path');
            const __dirname = process.env.GITHUB_WORKSPACE;

            const { data: { artifacts } } = await github.rest.actions.listWorkflowRunArtifacts({
              owner: context.repo.owner,
              repo: context.repo.repo,
              run_id: process.env.CURRENT_RUN_ID,
            });
            const artifact = artifacts.find(({ name }) => name === 'types-build');
            const { data: artifactData } = await github.rest.actions.downloadArtifact({
              owner: context.repo.owner,
              repo: context.repo.repo,
              artifact_id: artifact.id,
              archive_format: 'zip',
            });

            const zipPath = resolve(__dirname, './current-build.zip');
            await writeFile(zipPath, Buffer.from(artifactData));
            await exec.exec('unzip', [zipPath, '-d', './current-build']);
            await unlink(zipPath);

      - name: Download the PR information artifact
        id: pr-info
        uses: actions/github-script@v8
        with:
          script: |
            const { readFile, writeFile, unlink } = require('node:fs/promises');
            const { resolve } = require('node:path');
            const __dirname = process.env.GITHUB_WORKSPACE;

            const { data: { artifacts } } = await github.rest.actions.listWorkflowRunArtifacts({
              owner: context.repo.owner,
              repo: context.repo.repo,
              run_id: context.payload.workflow_run.id,
            });
            const artifact = artifacts.find(({ name }) => name === 'types-build');
            const { data: artifactData } = await github.rest.actions.downloadArtifact({
              owner: context.repo.owner,
              repo: context.repo.repo,
              artifact_id: artifact.id,
              archive_format: 'zip',
            });

            const zipPath = resolve(__dirname, './pr-info.zip');
            await writeFile(zipPath, Buffer.from(artifactData));
            await exec.exec('unzip', [zipPath, '-d', './pr-build']);
            await unlink(zipPath);

            const prNumberPath = resolve(__dirname, './pr-build/.pr-number');
            const prNumberString = await readFile(prNumberPath, { encoding: 'utf-8' })
            await unlink(prNumberPath);

            return {
              number: Number(prNumberString)
            }

      - name: Prepare build results
        run: |
          echo "# Build Results" >> build-results.md
          echo "" >> build-results.md

          echo "## JSON API" >> build-results.md
          echo "" >> build-results.md
          # git diff exits with 1 if there is no diff, which evaluates to true
          if $(git diff --no-index ./current-build/api ./pr-build/api > ./api.diff); then
            echo "πŸ“œ No changes detected." >> build-results.md
          else
            echo "πŸ“œ Changes detected:" >> build-results.md
            echo '```diff' >> build-results.md
            cat ./api.diff >> build-results.md
            echo '```' >> build-results.md
          fi
          echo "" >> build-results.md

          echo "## Types" >> build-results.md
          echo "" >> build-results.md
          # git diff exits with 1 if there is no diff, which evaluates to true
          if $(git diff --no-index ./current-build/types ./pr-build/types > ./types.diff); then
            echo "πŸ“œ No changes detected." >> build-results.md
          else
            echo "πŸ“œ Changes detected:" >> build-results.md
            echo '```diff' >> build-results.md
            cat ./types.diff >> build-results.md
            echo '```' >> build-results.md
          fi
          echo "" >> build-results.md

      - uses: marocchino/sticky-pull-request-comment@v3
        with:
          number: ${{ fromJSON(steps.pr-info.outputs.result).number }}
          hide_and_recreate: true
          hide_classify: 'OUTDATED'
          path: build-results.md

      - run: cat build-results.md >> $GITHUB_STEP_SUMMARY

The same workflow, on Latchkey

Removes redundant runs and caps runaway jobs. Added and changed lines are highlighted.

name: Comment build results
 
# We are not using using a single workflow on `pull_request_target`, and have two workflows on `pull_request` -> `workflow_run`:
# https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
 
on:
  workflow_run:
    workflows:
      - Build types
    types:
      - completed
 
jobs:
  check-current-build:
    timeout-minutes: 30
    runs-on: latchkey-small
    permissions:
      actions: read # to list the workflow runs
 
    if: >-
      ${{
        github.event.workflow_run.event == 'pull_request' &&
        github.event.workflow_run.conclusion == 'success'
      }}
 
    outputs:
      run-id: ${{ fromJSON(steps.current-workflow-run.outputs.result).id }}
 
    steps:
      - name: Check current types build workflow run
        id: current-workflow-run
        uses: actions/github-script@v8
        with:
          script: |
            const { data: { workflow_runs: [workflowRun] } } = await github.rest.actions.listWorkflowRuns({
              owner: context.repo.owner,
              repo: context.repo.repo,
              branch: 'dev', // TODO: Get the PR target branch to support branches other than dev
              workflow_id: 'build-types.yml',
              event: 'push',
              status: 'success',
            });
 
            return {
              id: workflowRun?.id || -1,
            }
 
  comment-build-results:
    timeout-minutes: 30
    runs-on: latchkey-small
    permissions:
      actions: read # to download artifacts
      pull-requests: write # to comment to the PR
 
    needs: check-current-build
 
    if: ${{ needs.check-current-build.outputs.run-id != -1 }}
 
    steps:
      - name: Download the current types build
        uses: actions/github-script@v8
        env:
          CURRENT_RUN_ID: ${{ needs.check-current-build.outputs.run-id }}
        with:
          script: |
            const { writeFile, unlink } = require('node:fs/promises');
            const { resolve } = require('node:path');
            const __dirname = process.env.GITHUB_WORKSPACE;
 
            const { data: { artifacts } } = await github.rest.actions.listWorkflowRunArtifacts({
              owner: context.repo.owner,
              repo: context.repo.repo,
              run_id: process.env.CURRENT_RUN_ID,
            });
            const artifact = artifacts.find(({ name }) => name === 'types-build');
            const { data: artifactData } = await github.rest.actions.downloadArtifact({
              owner: context.repo.owner,
              repo: context.repo.repo,
              artifact_id: artifact.id,
              archive_format: 'zip',
            });
 
            const zipPath = resolve(__dirname, './current-build.zip');
            await writeFile(zipPath, Buffer.from(artifactData));
            await exec.exec('unzip', [zipPath, '-d', './current-build']);
            await unlink(zipPath);
 
      - name: Download the PR information artifact
        id: pr-info
        uses: actions/github-script@v8
        with:
          script: |
            const { readFile, writeFile, unlink } = require('node:fs/promises');
            const { resolve } = require('node:path');
            const __dirname = process.env.GITHUB_WORKSPACE;
 
            const { data: { artifacts } } = await github.rest.actions.listWorkflowRunArtifacts({
              owner: context.repo.owner,
              repo: context.repo.repo,
              run_id: context.payload.workflow_run.id,
            });
            const artifact = artifacts.find(({ name }) => name === 'types-build');
            const { data: artifactData } = await github.rest.actions.downloadArtifact({
              owner: context.repo.owner,
              repo: context.repo.repo,
              artifact_id: artifact.id,
              archive_format: 'zip',
            });
 
            const zipPath = resolve(__dirname, './pr-info.zip');
            await writeFile(zipPath, Buffer.from(artifactData));
            await exec.exec('unzip', [zipPath, '-d', './pr-build']);
            await unlink(zipPath);
 
            const prNumberPath = resolve(__dirname, './pr-build/.pr-number');
            const prNumberString = await readFile(prNumberPath, { encoding: 'utf-8' })
            await unlink(prNumberPath);
 
            return {
              number: Number(prNumberString)
            }
 
      - name: Prepare build results
        run: |
          echo "# Build Results" >> build-results.md
          echo "" >> build-results.md
 
          echo "## JSON API" >> build-results.md
          echo "" >> build-results.md
          # git diff exits with 1 if there is no diff, which evaluates to true
          if $(git diff --no-index ./current-build/api ./pr-build/api > ./api.diff); then
            echo "πŸ“œ No changes detected." >> build-results.md
          else
            echo "πŸ“œ Changes detected:" >> build-results.md
            echo '```diff' >> build-results.md
            cat ./api.diff >> build-results.md
            echo '```' >> build-results.md
          fi
          echo "" >> build-results.md
 
          echo "## Types" >> build-results.md
          echo "" >> build-results.md
          # git diff exits with 1 if there is no diff, which evaluates to true
          if $(git diff --no-index ./current-build/types ./pr-build/types > ./types.diff); then
            echo "πŸ“œ No changes detected." >> build-results.md
          else
            echo "πŸ“œ Changes detected:" >> build-results.md
            echo '```diff' >> build-results.md
            cat ./types.diff >> build-results.md
            echo '```' >> build-results.md
          fi
          echo "" >> build-results.md
 
      - uses: marocchino/sticky-pull-request-comment@v3
        with:
          number: ${{ fromJSON(steps.pr-info.outputs.result).number }}
          hide_and_recreate: true
          hide_classify: 'OUTDATED'
          path: build-results.md
 
      - run: cat build-results.md >> $GITHUB_STEP_SUMMARY
 

What changed

1 third-party action is referenced by a movable tag. Pin it to the commit SHA (Latchkey resolves and applies this automatically) so a repointed tag cannot change what runs.

This workflow runs 2 jobs per trigger. On Latchkey the same minutes cost up to 58% less than GitHub-hosted, with zero queue time.

Actions used in this workflow