Further split commenting command - give parsing step reaction permission (#18751)

T-Gro · web-flow · commit 0fff0de309f1 · 2025-07-11T11:22:51.000+02:00
* Further split commenting command - give parsing step reaction permission

Changes:

Split parsing into separate job with proper permissions to fix reaction failures
Rename detect-and-run → run-parsed-command for clarity
Improve failure handling - only apply patches when command execution succeeds
Remove redundant conditions and output duplication
Fixes: The workflow now properly handles the comment-pipeline action's permission requirements and has better error resilience.

* Update .github/workflows/commands.yml
diff --git a/.github/workflows/commands.yml b/.github/workflows/commands.yml
@@ -5,12 +5,11 @@ on:
     types: [created]
 
 jobs:
-  # This first job by definiton runs user-supplied code - you must NOT elevate its permissions to `write`
-  # Malicious code could change nuget source URL, build targets or even compiler itself to pass a GH token
-  # And use it to create branches, spam issues etc. Any write-actions happen in the second job, which does not allow
-  # user extension points (i.e. plain scripts, must NOT run scripts from within checked-out code)
-  detect-and-run:
+  parsing_job:
     runs-on: ubuntu-latest
+    permissions:
+      issues: write  # Allow adding a reaction via the comment-pipeline
+      pull-requests: write
     outputs:
       command: ${{ steps.parse.outputs.command }}
       arg: ${{ steps.parse.outputs.arguments }}
@@ -28,11 +27,20 @@ jobs:
             /run test-baseline
           github-token: ${{ secrets.GITHUB_TOKEN }}
 
+  # This second job by definiton runs user-supplied code - you must NOT elevate its permissions to `write`
+  # Malicious code could change nuget source URL, build targets or even compiler itself to pass a GH token
+  # And use it to create branches, spam issues etc. Any write-actions happen in the second job, which does not allow
+  # user extension points (i.e. plain scripts, must NOT run scripts from within checked-out code)
+  run-parsed-command:
+    needs: parsing_job
+    runs-on: ubuntu-latest
+    if: needs.parsing_job.outputs.command != ''
+    steps:
+
       - name: Checkout the repository
         uses: actions/checkout@v4
           
       - name: Checkout PR branch
-        if: ${{ steps.parse.outputs.command }}
         run: gh auth setup-git && gh pr checkout ${{ github.event.issue.number }}
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -46,7 +54,7 @@ jobs:
         run: dotnet tool restore
         
       - name: Setup .NET 9.0.0 Runtime for test execution
-        if: ${{ steps.parse.outputs.command == '/run test-baseline' }}
+        if: ${{ needs.parsing_job.outputs.command == '/run test-baseline' }}
         uses: actions/setup-dotnet@v4
         with:
           dotnet-version: '9.0.x'
@@ -57,17 +65,17 @@ jobs:
           TEST_UPDATE_BSL: 1
         continue-on-error: true
         run: |
-          case "${{ steps.parse.outputs.command }}" in
+          case "${{ needs.parsing_job.outputs.command }}" in
             "/run fantomas") dotnet fantomas . ;;
             "/run xlf") dotnet build src/Compiler /t:UpdateXlf ;;
             "/run ilverify") pwsh tests/ILVerify/ilverify.ps1 ;;
-            "/run test-baseline") dotnet test ./FSharp.Compiler.Service.sln --filter "${{ steps.parse.outputs.arguments }}" -c Release || true ;;
+            "/run test-baseline") dotnet test ./FSharp.Compiler.Service.sln --filter "${{ needs.parsing_job.outputs.arg }}" -c Release || true ;;
             *) echo "Unknown command" && exit 1 ;;
           esac
 
       - name: Create patch & metadata
         id: meta
-        if: steps.parse.outputs.command
+        if: needs.parsing_job.outputs.command
         run: |
           echo "run_step_outcome=${{ steps.run-cmd.outcome }}" > result
           if [[ "${{ steps.run-cmd.outcome }}" == "success" ]]; then
@@ -87,12 +95,12 @@ jobs:
             result
 
   apply-and-report:
-    needs: detect-and-run
+    needs: [parsing_job, run-parsed-command]
     runs-on: ubuntu-latest
     permissions:
       contents: write
       pull-requests: write
-    if: needs.detect-and-run.outputs.command != ''
+    if: needs.parsing_job.outputs.command != '' && needs.run-parsed-command.result == 'success'
     steps:
       - name: Checkout the repository
         uses: actions/checkout@v4
@@ -121,7 +129,7 @@ jobs:
           git config user.name "GH Actions"
           git config user.email "actions@github.com"          
           git add -u
-          git commit -m "Apply patch from ${{ needs.detect-and-run.outputs.command }}"
+          git commit -m "Apply patch from ${{ needs.parsing_job.outputs.command }}"
           upstream=$(git rev-parse --abbrev-ref --symbolic-full-name @{u})
           remote=${upstream%%/*}
           branch=${upstream#*/}
@@ -140,7 +148,7 @@ jobs:
       - name: Generate and publish report
         if: always()
         env:
-          COMMAND: ${{ needs.detect-and-run.outputs.command }}
+          COMMAND: ${{ needs.parsing_job.outputs.command }}
           OUTCOME: ${{ steps.read-meta.outputs.run_step_outcome }}
           PATCH: ${{ steps.read-meta.outputs.hasPatch }}
         run: |
