From 7cd3e74d46927fb667cb1e8c336be960e86647a1 Mon Sep 17 00:00:00 2001
From: Sebastiaan Zeeff <sebastiaan.zeeff@gmail.com>
Date: Wed, 9 Dec 2020 23:06:30 +0100
Subject: Use workflow_run to send status embed to Discord

I've changed the way we send status embeds to make it work for PRs made
from forks without potentially exposing secrets. Instead of using the
initial workflows to send the embed, I've created a `workflow_run`
workflow that always runs in the context of the base repository.

And added benefit is that we don't have to add the status embed step to
two separate workflows.
---
 .github/workflows/build.yaml        | 31 ----------------
 .github/workflows/lint.yaml         | 32 -----------------
 .github/workflows/status_embed.yaml | 71 +++++++++++++++++++++++++++++++++++++
 3 files changed, 71 insertions(+), 63 deletions(-)
 create mode 100644 .github/workflows/status_embed.yaml

diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
index 64c272cf..b0c03139 100644
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -75,34 +75,3 @@ jobs:
               kubernetes/sir-lancebot/deployment.yaml
           images: 'ghcr.io/python-discord/sir-lancebot:${{ steps.sha_tag.outputs.tag }}'
           kubectl-version: 'latest'
-
-      # Send an informational status embed to Discord instead of the
-      # standard embeds that Discord sends. This embed will contain
-      # more information and we can fine tune when we actually want
-      # to send an embed.
-      - name: GitHub Actions Status Embed for Discord
-        # This is the last step in the lint-build sequence, so always send
-        # an embed, regardless of success, failure or cancelled status.
-        if: always()
-        uses: SebastiaanZ/github-status-embed-for-discord@v0.1.1
-        with:
-          # Our GitHub Actions webhook
-          webhook_id: '784184528997842985'
-          webhook_token: ${{ secrets.GHA_WEBHOOK_TOKEN }}
-
-          # Workflow information
-          workflow_name: ${{ github.workflow }}
-          run_id: ${{ github.run_id }}
-          run_number: ${{ github.run_number }}
-          status: ${{ job.status }}
-          actor: ${{ github.actor }}
-          repository:  ${{ github.repository }}
-          ref: ${{ github.ref }}
-          sha: ${{ github.sha }}
-
-          # Optional PR-information. These values will be "null" if
-          # the event trigger was not PR-related.
-          pr_author_login: ${{ github.event.pull_request.user.login }}
-          pr_number: ${{ github.event.pull_request.number }}
-          pr_title: ${{ github.event.pull_request.title }}
-          pr_source: ${{ github.event.pull_request.head.label }}
diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml
index 8dd93773..063f406c 100644
--- a/.github/workflows/lint.yaml
+++ b/.github/workflows/lint.yaml
@@ -91,35 +91,3 @@ jobs:
       - name: Run flake8
         run: "flake8 \
         --format='::error file=%(path)s,line=%(row)d,col=%(col)d::[flake8] %(code)s: %(text)s'"
-
-      # Send an informational status embed to Discord instead of the
-      # standard embeds that Discord sends. This embed will contain
-      # more information and we can fine tune when we actually want
-      # to send an embed.
-      - name: GitHub Actions Status Embed for Discord
-        # For a `pull_request` we always want to send a status embed
-        # here. For a push event, only when this workflow is the last
-        # in lint->build sequence because it failed or was cancelled.
-        if: github.event_name == 'pull_request' || cancelled() || failure()
-        uses: SebastiaanZ/github-status-embed-for-discord@v0.1.1
-        with:
-          # Our GitHub Actions webhook
-          webhook_id: '784184528997842985'
-          webhook_token: ${{ secrets.GHA_WEBHOOK_TOKEN }}
-
-          # Workflow information
-          workflow_name: ${{ github.workflow }}
-          run_id: ${{ github.run_id }}
-          run_number: ${{ github.run_number }}
-          status: ${{ job.status }}
-          actor: ${{ github.actor }}
-          repository:  ${{ github.repository }}
-          ref: ${{ github.ref }}
-          sha: ${{ github.sha }}
-
-          # Optional PR-information. These values will be "null" if
-          # the event trigger was not PR-related.
-          pr_author_login: ${{ github.event.pull_request.user.login }}
-          pr_number: ${{ github.event.pull_request.number }}
-          pr_title: ${{ github.event.pull_request.title }}
-          pr_source: ${{ github.event.pull_request.head.label }}
diff --git a/.github/workflows/status_embed.yaml b/.github/workflows/status_embed.yaml
new file mode 100644
index 00000000..1d175fb9
--- /dev/null
+++ b/.github/workflows/status_embed.yaml
@@ -0,0 +1,71 @@
+name: Status Embed
+
+on:
+  workflow_run:
+    workflows:
+      - Lint
+      - Build
+    types:
+      - completed
+
+jobs:
+  status_embed:
+    # We send the embed in the following situations:
+    # - Always after the `Build` workflow, as it runs at the
+    #   end of our workflow sequence regardless of status.
+    # - Always for the `pull_request` event, as it only
+    #   runs one workflow.
+    # - Always run for non-success workflows, as they
+    #   terminate the workflow sequence.
+    if: >-
+      github.event.workflow_run.name == 'Build' ||
+      github.event.workflow_run.event == 'pull_request' ||
+      github.event.workflow_run.conclusion != 'success'
+    name:  Send Status Embed to Discord
+    runs-on: ubuntu-latest
+
+    steps:
+      # Unfortunately, not all the pull request information we
+      # need is available in the workflow_run payload. We need
+      # to fetch it from the API.
+      - name: Get Pull Request Information
+        if: github.event.workflow_run.event == 'pull_request'
+        uses: octokit/request-action@v2.0.2
+        id: pull_request
+        with:
+          route: GET /repos/{owner}/{repo}/pulls
+          owner: ${{ github.event.repository.owner.login }}
+          repo: ${{ github.event.repository.name }}
+          state: open
+          head: ${{format(
+              '{0}:{1}',
+              github.event.workflow_run.head_repository.owner.login,
+              github.event.workflow_run.head_branch
+            )}}
+          sort: updated
+          direction: desc
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      # Send an informational status embed to Discord instead of the
+      # standard embeds that Discord sends. This embed will contain
+      # more information and we can fine tune when we actually want
+      # to send an embed.
+      - name: GitHub Actions Status Embed for Discord
+        uses: SebastiaanZ/github-status-embed-for-discord@v0.2.1
+        with:
+          # Our GitHub Actions webhook
+          webhook_id: '784184528997842985'
+          webhook_token: ${{ secrets.GHA_WEBHOOK_TOKEN }}
+
+          # Workflow information
+          workflow_name: ${{ github.event.workflow_run.name }}
+          run_id: ${{ github.event.workflow_run.id }}
+          run_number: ${{ github.event.workflow_run.run_number }}
+          status: ${{ github.event.workflow_run.conclusion }}
+          actor: ${{ github.actor }}
+          repository:  ${{ github.repository }}
+          ref: ${{ github.ref }}
+          sha: ${{ github.event.workflow_run.head_sha }}
+
+          pull_request_payload: ${{ steps.pull_request.outputs.data }}
-- 
cgit v1.2.3