Skip to content

Post dogfood comment only after packages are successfully built#16248

Draft
Copilot wants to merge 5 commits intomainfrom
copilot/update-dogfood-comment-trigger
Draft

Post dogfood comment only after packages are successfully built#16248
Copilot wants to merge 5 commits intomainfrom
copilot/update-dogfood-comment-trigger

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Apr 16, 2026
edited by radical
Loading

The dogfood comment was being posted immediately on PR open/sync via pull_request_target, before any packages were built — and was posted even for doc-only PRs where no packages are built at all.

Changes

dogfood-comment.yml

  • Removed pull_request_target trigger
  • Added workflow_run trigger watching the CI workflow — this runs in the base repo context with full write permissions, so it works for both same-repo and fork PRs
  • Added "Determine PR number" step that looks up the PR from the workflow run's head commit SHA via the GitHub API
  • Added "Check build_packages job succeeded" step that queries the jobs API to verify packages were built before posting
  • Comment-posting logic (actions/github-script) is unchanged, but now uses process.env.PR_NUMBER to avoid template injection
  • Kept workflow_dispatch trigger for manual use / testing
  • All event data is passed through env: vars instead of inline ${{ }} expressions to prevent template injection (satisfies zizmor audit)

How it works

  1. A PR triggers ci.yml → calls tests.yml → builds packages, runs tests
  2. When CI workflow completes, workflow_run fires dogfood-comment.yml in the base repo context
  3. The workflow resolves the PR number from the head commit SHA
  4. It checks that the Build packages job succeeded (so doc-only PRs and failed builds are skipped)
  5. If both checks pass, it posts/updates the dogfood comment on the PR

workflow_run always runs on the default branch in the base repository, so pull-requests: write works correctly for fork PRs without needing pull_request_target.

Note: The workflow_run trigger only fires when the workflow definition exists on the default branch. The first PR after merge will activate it.

Checklist

  • Is this feature complete?
    • Yes. Ready to ship.
    • No. Follow-up changes expected.
  • Are you including unit tests for the changes and scenario tests if relevant?
    • Yes
    • No
  • Did you add public API?
    • No
  • Does the change make any security assumptions or guarantees?
    • No
  • Does the change require an update in our Aspire docs?
    • No

Copilot AI changed the title [WIP] Update dogfood comment workflow to trigger on workflow_dispatch Post dogfood comment only after packages are successfully built Apr 16, 2026
Copilot AI requested a review from radical April 16, 2026 21:20
@radical
Fix missing contents:read permission and dead error handling
fced8ff 
- Add contents: read to the tests job permissions block in ci.yml,
  preventing 403 errors on actions/checkout (when permissions: is set,
  unspecified scopes default to none).
- Replace exit_code=$? pattern with || in the dogfood dispatch step.
  Bash runs with set -e by default in Actions, so the old pattern was
  dead code — the warning annotation would never be emitted.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Apr 16, 2026
edited
Loading

🚀 Dogfood this PR with:

⚠️ WARNING: Do not do this without first carefully reviewing the code of this PR to satisfy yourself it is safe.

curl -fsSL https://raw.githubusercontent.com/microsoft/aspire/main/eng/scripts/get-aspire-cli-pr.sh | bash -s -- 16248

Or

  • Run remotely in PowerShell:
iex "& { $(irm https://raw.githubusercontent.com/microsoft/aspire/main/eng/scripts/get-aspire-cli-pr.ps1) } 16248"

@radical
Use workflow_run trigger for fork PR support and fix injection risks
cbf7e07 
Replace the dispatch-from-tests.yml approach with a workflow_run trigger
on dogfood-comment.yml. workflow_run always runs in the base repo context
with write permissions, so dogfood comments now work for fork PRs too.

- Remove prNumber plumbing from ci.yml and tests.yml
- Add workflow_run trigger watching CI workflow completion
- Query jobs API to verify build_packages succeeded before posting
- Use commits API to resolve PR number (works for forks)
- Pass all event data through env vars to prevent template injection
  (fixes zizmor template-injection findings)

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@radical radical force-pushed the copilot/update-dogfood-comment-trigger branch from eebdc34 to cbf7e07 Compare April 16, 2026 22:35
@radical radical closed this Apr 16, 2026
@radical
Add same-repo dogfood comment path and restrict fork-only workflow
ec5d9ac 
- Add dogfood_comment job in tests.yml that posts after build_packages
  for same-repo PRs (earlier than waiting for full CI completion)
- Restrict dogfood-comment.yml to fork PRs only via head_repository check
- Replace update-or-create pattern with skip-if-exists dedup in both paths
- Use continue-on-error: true so comment failures don't break CI

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@radical radical reopened this Apr 17, 2026
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Apr 17, 2026

🎬 CLI E2E Test Recordings — 36 recordings uploaded (commit cbf7e07)

View recordings
Test Recording
AspireAddPackageVersionToDirectoryPackagesProps ▶️ View Recording
AspireUpdateRemovesAppHostPackageVersionFromDirectoryPackagesProps ▶️ View Recording
CertificatesClean_RemovesCertificates ▶️ View Recording
CertificatesTrust_WithNoCert_CreatesAndTrustsCertificate ▶️ View Recording
CertificatesTrust_WithUntrustedCert_TrustsCertificate ▶️ View Recording
CreateAndRunAspireStarterProjectWithBundle ▶️ View Recording
CreateAndRunEmptyAppHostProject ▶️ View Recording
CreateAndRunJavaEmptyAppHostProject ▶️ View Recording
CreateAndRunPythonReactProject ▶️ View Recording
CreateAndRunTypeScriptStarterProject ▶️ View Recording
CreateTypeScriptAppHostWithViteApp ▶️ View Recording
DashboardRunWithOtelTracesReturnsNoTraces ▶️ View Recording
DeployK8sBasicApiService ▶️ View Recording
DeployK8sWithGarnet ▶️ View Recording
DeployK8sWithMongoDB ▶️ View Recording
DeployK8sWithMySql ▶️ View Recording
DeployK8sWithPostgres ▶️ View Recording
DeployK8sWithRabbitMQ ▶️ View Recording
DeployK8sWithRedis ▶️ View Recording
DeployK8sWithSqlServer ▶️ View Recording
DeployK8sWithValkey ▶️ View Recording
DeployTypeScriptAppToKubernetes ▶️ View Recording
DescribeCommandResolvesReplicaNames ▶️ View Recording
DescribeCommandShowsRunningResources ▶️ View Recording
DoListStepsShowsPipelineSteps ▶️ View Recording
InitTypeScriptAppHost_AugmentsExistingViteRepoAtRoot ▶️ View Recording
LegacySettingsMigration_AdjustsRelativeAppHostPath ▶️ View Recording
LogsCommandShowsResourceLogs ▶️ View Recording
PsCommandListsRunningAppHost ▶️ View Recording
PsFormatJsonOutputsOnlyJsonToStdout ▶️ View Recording
RestoreSupportsConfigOnlyHelperPackageAndCrossPackageTypes ▶️ View Recording
SecretCrudOnTypeScriptAppHost ▶️ View Recording
StopAllAppHostsFromAppHostDirectory ▶️ View Recording
StopAllAppHostsFromUnrelatedDirectory ▶️ View Recording
StopNonInteractiveMultipleAppHostsShowsError ▶️ View Recording
StopNonInteractiveSingleAppHost ▶️ View Recording

📹 Recordings uploaded automatically from CI run #24541901576

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@radical radical Awaiting requested review from radical

Copilot code review Copilot Awaiting requested review from Copilot Copilot will automatically review once the pull request is marked ready for review

At least 1 approving review is required to merge this pull request.

Assignees

@radical radical

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@radical