Skip to content

Add comment to newly opened PR #27

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
satnam72 merged 3 commits into from
Aug 25, 2025
Merged

Add comment to newly opened PR #27

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
61e6b64
chore(github-actions): Add PR comment workflow
satnam72 Aug 25, 2025
f88ccbe
fix(github-actions): address issue with PR comment workflow
satnam72 Aug 25, 2025
3746ef2
fix(github-actions): address issue with PR comment workflow
satnam72 Aug 25, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 18 additions & 0 deletions .github/workflows/pull-request-comment.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
name: Add Comment to PR

on:
pull_request_target:
Comment on lines +1 to +4
Copy link

@coderabbitai coderabbitai bot Aug 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion

Harden the GITHUB_TOKEN scope (least privilege).

pull_request_target grants a broad, write-scoped token by default. This job only needs to read contents and write an issue-style comment. Restrict permissions at the workflow root.

Apply this diff to set minimal permissions:

 name: Add Comment to PR
+permissions:
+  contents: read
+  pull-requests: read
+  issues: write
🤖 Prompt for AI Agents 
In .github/workflows/pull-request-comment.yml lines 1-4, the workflow uses
pull_request_target which grants a broad GITHUB_TOKEN scope; restrict
permissions at the workflow root by adding a permissions block that grants only
what's needed (e.g., contents: read and issues: write — or pull-requests: write
if you use the Pull Requests API) so the job can read repository contents and
post an issue-style PR comment without broad write permissions.

types:
- opened

jobs:
comment:
runs-on: ubuntu-latest

steps:
- name: Create or Update Comment
uses: peter-evans/[email protected]
Copy link

@coderabbitai coderabbitai bot Aug 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Verification agent

🧩 Analysis chain

Pin the third-party action to a commit SHA.

Using a floating tag (even v4.0.0) risks supply-chain drift. Pin to the exact commit for v4.0.0 and optionally add an allowlist comment.

Apply this diff after resolving the release’s commit SHA:

-        uses: peter-evans/[email protected]
+        # v4.0.0 (pin to immutable commit for supply-chain safety)
+        uses: peter-evans/create-or-update-comment@<commit-sha-for-v4.0.0>

Use one of the commands below to retrieve the exact commit SHA for v4.0.0:

🏁 Script executed:

#!/bin/bash
# Get the commit SHA for the v4.0.0 tag (select the commit, not the tag object)
git ls-remote https://github.com/peter-evans/create-or-update-comment refs/tags/v4.0.0 | awk 'END{print $1}'

Length of output: 151

Pin GitHub Action to immutable commit SHA

The peter-evans/[email protected] reference should be pinned to the exact commit to prevent supply-chain drift.

• File: .github/workflows/pull-request-comment.yml
Line: 14

Suggested diff:

-        uses: peter-evans/[email protected]
+        # v4.0.0 (pin to immutable commit for supply-chain safety)
+        uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
uses: peter-evans/[email protected]
- name: Comment on PR
# v4.0.0 (pin to immutable commit for supply-chain safety)
uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043
with:
issue-number: ${{ github.event.pull_request.number }}
body: |
Hi @${{ github.event.pull_request.user.login }}! Thank you for the contribution.

with:
issue-number: ${{ github.event.pull_request.number }}
body: |
Hi @${{ github.event.pull_request.user.login }}! Thank you for the contribution.