diff --git a/.github/workflows/test_code.yaml b/.github/workflows/test_code.yaml index 3fdf011510..52bce85ef6 100644 --- a/.github/workflows/test_code.yaml +++ b/.github/workflows/test_code.yaml @@ -29,12 +29,22 @@ jobs: run: pip install hatch - name: Test Python run: hatch run test:test-coverage - - name: Save coverage output as an artifact + # For security reasons, PRs created from forks cannot generate PR comments directly + # (see https://securitylab.github.com/research/github-actions-preventing-pwn-requests/). + # Instead we need to trigger another workflow after this one completes. + - name: Generate coverage comment + id: coverage_comment + uses: py-cov-action/python-coverage-comment-action@v3 + with: + GITHUB_TOKEN: ${{ github.token }} + # Save the coverage comment for later use + # See https://github.com/py-cov-action/python-coverage-comment-action/blob/main/README.md + - name: Save coverage comment as an artifact uses: actions/upload-artifact@v4 + if: steps.coverage_comment.outputs.COMMENT_FILE_WRITTEN == 'true' with: - name: python-coverage-data - path: .coverage - if-no-files-found: error + name: python-coverage-comment-action + path: python-coverage-comment-action.txt test_markdown_links: runs-on: ubuntu-latest diff --git a/.github/workflows/test_coverage.yaml b/.github/workflows/test_coverage.yaml index 28cc96c117..82bed5a021 100644 --- a/.github/workflows/test_coverage.yaml +++ b/.github/workflows/test_coverage.yaml @@ -1,5 +1,5 @@ --- -name: Comment with test coverage +name: Test code - post coverage comment # Run workflow after test_code has completed on: # yamllint disable-line rule:truthy @@ -24,7 +24,7 @@ jobs: # artifact that contains the comment to be published actions: read steps: - # For details, refer to https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ + # Post the pre-generated coverage comment - name: Post coverage comment uses: py-cov-action/python-coverage-comment-action@v3 with: