GitHub Actions: Use new pull_request_target event

[ewels]

GitHub Actions has introduced a new event type: pull_request_target

https://docs.github.com/en/free-pro-team@latest/actions/reference/events-that-trigger-workflows#pull_request_target
This event is similar to pull_request, except that it runs in the context of the base repository of the pull request, rather than in the merge commit. This means that you can more safely make your secrets available to the workflows triggered by the pull request, because only workflows defined in the commit on the base repository are run. For example, this event allows you to create workflows that label and comment on pull requests, based on the contents of the event payload.

In order to solve this [security issues with pull_request], we’ve added a new pull_request_target event, which behaves in an almost identical way to the pull_request event with the same set of filters and payload. However, instead of running against the workflow and code from the merge commit, the event runs against the workflow and code from the base of the pull request. This means the workflow is running from a trusted source and is given access to a read/write token as well as secrets enabling the maintainer to safely comment on or label a pull request.

Switching this in to the .github/workflows/branch.yml workflow should mean that we can have automated comments for PRs coming from forks, rather than just branches 🎉

I would like to also use it in linting.yml, which would that we could have the nice automated comment with the nf-core lint results from fork PRs. However, I think that we want lint tests to run on the merge commit code, so we probably shouldn't switch this one 😞

[ewels]

NB: Tricky to test, as needs to be merged to master in order to be active.

[ewels]

This blog post describes how we could get the lint comment to work: https://github.blog/2020-08-03-github-actions-improvements-for-fork-and-pull-request-workflows/

The new workflow_run event enables you to trigger a new workflow when one or more workflows are requested or completed. Runs triggered by the workflow_run event always use the default branch for the repository, and have access to a read/write token as well as secrets.
As an example, as a maintainer you could set up a workflow that takes the artifacts generated by the pull request workflow, do some analysis, and post comments back to the pull request.

There must be a blog post or example somewhere that we can pinch to try this out..

[ewels]

Tested the linting with the new event trigger and it didn't work, as expected: nf-core/testpipeline#7

So now we know..

[ewels]

I started looking into the workflow_run thing but it's actually fairly complex. The code I wrote to post the comments is not trivial:

tools/nf_core/lint.py

Lines 1473 to 1525 in 9b3eec9

	def github_comment(self):
	"""
	If we are running in a GitHub PR, try to post results as a comment
	"""
	if os.environ.get("GITHUB_TOKEN", "") == "":
	log.debug("Environment variable GITHUB_TOKEN not found")
	return
	if os.environ.get("GITHUB_COMMENTS_URL", "") == "":
	log.debug("Environment variable GITHUB_COMMENTS_URL not found")
	return
	try:
	headers = {"Authorization": "token {}".format(os.environ["GITHUB_TOKEN"])}
	# Get existing comments - GET
	get_r = requests.get(url=os.environ["GITHUB_COMMENTS_URL"], headers=headers)
	if get_r.status_code == 200:
	# Look for an existing comment to update
	update_url = False
	for comment in get_r.json():
	if comment["user"]["login"] == "github-actions[bot]" and comment["body"].startswith(
	"\n#### `nf-core lint` overall result"
	):
	# Update existing comment - PATCH
	log.info("Updating GitHub comment")
	update_r = requests.patch(
	url=comment["url"],
	data=json.dumps({"body": self.get_results_md().replace("Posted", "**Updated**")}),
	headers=headers,
	)
	return
	# Create new comment - POST
	if len(self.warned) > 0 or len(self.failed) > 0:
	r = requests.post(
	url=os.environ["GITHUB_COMMENTS_URL"],
	data=json.dumps({"body": self.get_results_md()}),
	headers=headers,
	)
	try:
	r_json = json.loads(r.content)
	response_pp = json.dumps(r_json, indent=4)
	except:
	r_json = r.content
	response_pp = r.content
	if r.status_code == 201:
	log.info("Posted GitHub comment: {}".format(r_json["html_url"]))
	log.debug(response_pp)
	else:
	log.warning("Could not post GitHub comment: '{}'\n{}".format(r.status_code, response_pp))
	except Exception as e:
	log.warning("Could not post GitHub comment: {}\n{}".format(os.environ["GITHUB_COMMENTS_URL"], e))

Specifically, it fetches the PR comments to see if there is a linting comment already. If there is, it updates it. If there isn't, it posts a new one. We'd need to figure out how to do this using a GitHub Actions workflow separate from the nf-core lint command if we take this new approach.

Editing instead of reposting is important as otherwise there will be a comment for every commit which is super spammy.

[ewels]

Ok, I can't resist a good challenge, so I got it to work. Took a lot of trial and error (thank you new nf-core/testpipeline!) but seems to be working now 🚀