fix(workflows/pr-test): do not use pull_request_target (#25578)

caugner · web-flow · commit 6c72534b4e22 · 2025-01-24T15:26:01.000+01:00
Same approach as in the previous `pr-test` workflow in content: https://github.com/mdn/content/blob/e4a247688d05e26847527ce88434b3f53b47ad3f/.github/workflows/pr-test.yml
diff --git a/.github/workflows/pr-review-companion.yml b/.github/workflows/pr-review-companion.yml
@@ -9,31 +9,48 @@
 
 name: PR review companion
 
-on: workflow_call
+on:
+  workflow_run:
+    workflows:
+      - "PR Test"
+    types:
+      - completed
 
 jobs:
   review:
     runs-on: ubuntu-latest
+    if: github.event.workflow_run.conclusion == 'success'
     steps:
       - name: "Download artifact"
         uses: actions/download-artifact@v4
         with:
-          name: build
+          pattern: build
           path: build
+          merge-multiple: true
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          run-id: ${{ github.event.workflow_run.id }}
+
+      - name: Check for artifacts
+        if: hashFiles('build/') != ''
+        run: |
+          echo "HAS_ARTIFACT=true" >> "$GITHUB_ENV"
 
       - uses: actions/checkout@v4
+        if: env.HAS_ARTIFACT
         with:
           repository: mdn/yari
           path: yari
 
       - name: Install Python
+        if: env.HAS_ARTIFACT
         id: setup-python
         uses: actions/setup-python@v5
         with:
           python-version: "3.10"
 
       # See https://www.peterbe.com/plog/install-python-poetry-github-actions-faster
       - name: Load cached ~/.local
+        if: env.HAS_ARTIFACT
         uses: actions/cache@v4
         with:
           path: ~/.local
@@ -42,12 +59,14 @@ jobs:
           key: dotlocal-${{ runner.os }}-${{ steps.setup-python.outputs.python-version }}-0
 
       - name: Install Python poetry
-        uses: snok/install-poetry@v1
+        if: env.HAS_ARTIFACT
+        uses: snok/install-poetry@v1.4
         with:
           virtualenvs-create: true
           virtualenvs-in-project: true
 
       - name: Load cached venv
+        if: env.HAS_ARTIFACT
         id: cached-poetry-dependencies
         uses: actions/cache@v4
         with:
@@ -57,17 +76,19 @@ jobs:
           key: venv-${{ runner.os }}-${{ hashFiles('**/poetry.lock') }}-${{ steps.setup-python.outputs.python-version }}-0
 
       - name: Install poetry dependencies
-        if: steps.cached-poetry-dependencies.outputs.cache-hit != 'true'
+        if: env.HAS_ARTIFACT && steps.cached-poetry-dependencies.outputs.cache-hit != 'true'
         run: |
           cd yari/deployer
           poetry install --no-interaction --no-root
 
       - name: Install Deployer
+        if: env.HAS_ARTIFACT
         run: |
           cd yari/deployer
           poetry install --no-interaction
 
       - name: Deploy and analyze built content
+        if: env.HAS_ARTIFACT
         env:
           BUILD_OUT_ROOT: ${{ github.workspace }}/build
 
diff --git a/.github/workflows/pr-test.yml b/.github/workflows/pr-test.yml
@@ -7,17 +7,12 @@
 name: PR Test
 
 on:
-  # The `GITHUB_TOKEN` in workflows triggered by the `pull_request_target` event
-  # is granted read/write repository access.
-  # Please pay attention to limit the permissions of each job!
-  # https://docs.github.com/actions/using-jobs/assigning-permissions-to-jobs
-  pull_request_target:
+  pull_request:
     branches:
       - main
 
 jobs:
   tests:
-    # do not run on PRs in forks
     if: github.repository == 'mdn/translated-content'
     runs-on: ubuntu-latest
     # Set the permissions to `read-all`, preventing the workflow from
@@ -112,14 +107,14 @@ jobs:
 
         working-directory: ${{ github.workspace }}/mdn/content
         run: |
-          mkdir -p ${BUILD_OUT_ROOT}
+          mkdir -p $BUILD_OUT_ROOT
 
           # Don't use `yarn build` (from mdn/content) because that one hardcodes
           # the BUILD_OUT_ROOT and CONTENT_ROOT env vars.
           node node_modules/@mdn/yari/build/cli.js ${GIT_DIFF_CONTENT}
 
           echo "Disk usage size of build"
-          du -sh ${BUILD_OUT_ROOT}
+          du -sh $BUILD_OUT_ROOT
 
           # Save the PR number into the build
           echo ${{ github.event.number }} > ${BUILD_OUT_ROOT}/NR
@@ -130,16 +125,13 @@ jobs:
           # be able to use this raw diff file for the benefit of analyzing.
           wget https://github.com/${{ github.repository }}/compare/${BASE_SHA}...${HEAD_SHA}.diff -O ${BUILD_OUT_ROOT}/DIFF
 
-          # Set the output variable so the next job could skip if there are no assets
-          echo "has_assets=true" >> "$GITHUB_OUTPUT"
-
       - name: Merge static assets with built documents
         if: env.GIT_DIFF_CONTENT
         run: |
           # Exclude the .map files, as they're used for debugging JS and CSS.
           rsync -a --exclude "*.map" ${{ github.workspace }}/mdn/content/node_modules/@mdn/yari/client/build/ ${BUILD_OUT_ROOT}
           # Show the final disk usage size of the build.
-          du -sh ${BUILD_OUT_ROOT}
+          du -sh $BUILD_OUT_ROOT
 
       - uses: actions/upload-artifact@v4
         if: env.GIT_DIFF_CONTENT
@@ -154,16 +146,6 @@ jobs:
           CONTENT_TRANSLATED_ROOT: ${{ github.workspace }}/files
         working-directory: ${{ github.workspace }}/mdn/content
         run: |
-          echo ${GIT_DIFF_FILES}
-
-          yarn filecheck ${GIT_DIFF_FILES}
-
-  review:
-    needs: tests
-    if: needs.tests.outputs.has_assets
-    # write permissions are required to create a comment in the corresponding PR
-    permissions: write-all
-    uses: ./.github/workflows/pr-review-companion.yml
-    # inherit the secrets from the parent workflow
-    # https://docs.github.com/actions/using-workflows/reusing-workflows#using-inputs-and-secrets-in-a-reusable-workflow
-    secrets: inherit
+          echo $GIT_DIFF_FILES
+
+          yarn filecheck $GIT_DIFF_FILES
