Post CI security scanner findings as sticky PR comments #68
Labels
No labels
area:auth
area:ci
area:db
area:infra
area:native
area:pwa
area:service
epic
feature
foundation
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
james/carol#68
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Today the security scanners in
.forgejo/workflows/pr.yml(npm_audit,osv_scan,image_scanfrom ADR-0005, plusgitleaksfrom ADR-0011) all write their findings to$GITHUB_STEP_SUMMARYviascripts/ci/security-summary.mjs. Reviewers only see the findings if they click into the run details — they're not visible from the PR conversation itself.A sticky PR comment per scanner would surface findings where reviewers actually look: in the PR. The step summary stays as the drill-down detail.
Scope
scripts/ci/security-summary.mjswith a--post-pr-commentmode (or a sibling script that reuses its findings table generator). It takes a marker (e.g.<!-- scanner: gitleaks -->), the PR number, and a Forgejo API token from env vars.GET /api/v1/repos/{owner}/{repo}/issues/{index}/commentsfiltered by the marker;PATCHit if found,POSTa new one if not. Avoids every push spamming a fresh comment.DELETEthe stale comment so reviewers don't see lingering warnings.${{ secrets.GITHUB_TOKEN }}or the equivalent shim) with the minimum scope needed to comment on issues / PRs.Out of scope
scripts/ci/security-summary.mjsbeyond what the new mode requires.Acceptance criteria
ghp_…PAT for gitleaks) end-to-end produces the comment on the PR.docs/ci.mdso a self-hoster forking Carol's workflow knows what to grant.Part of epic #2. References ADR-0005 (
docs/adr/0005-ci-security-scanning.md) and ADR-0011 (docs/adr/0011-gitleaks-ci.md).