Skip to content

Remove API token requirement from Danger workflow #2632

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
numbata wants to merge 1 commit into
base: master
Choose a base branch
from
+138 −17
Draft

Remove API token requirement from Danger workflow #2632

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
82 changes: 82 additions & 0 deletions .github/scripts/post-danger-comment.js
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,82 @@
const fs = require('fs');
Copy link
Member

@dblock dblock Dec 16, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Any way we can package and release this as part of grape-danger?

const core = require('@actions/core');

module.exports = async ({ github, context }) => {
const hasItems = (arr) => Array.isArray(arr) && arr.length > 0;

let report;
try {
report = JSON.parse(fs.readFileSync('danger_report.json', 'utf8'));
} catch (e) {
console.log('No danger report found, skipping comment');
return;
}

if (!report.pr_number) {
console.log('No PR number found in report, skipping comment');
return;
}

let body = '## Danger Report\n\n';

if (hasItems(report.errors)) {
body += '### ❌ Errors\n';
report.errors.forEach(e => body += `- ${e}\n`);
body += '\n';
}

if (hasItems(report.warnings)) {
body += '### ⚠️ Warnings\n';
report.warnings.forEach(w => body += `- ${w}\n`);
body += '\n';
}

if (hasItems(report.messages)) {
body += '### ℹ️ Messages\n';
report.messages.forEach(m => body += `- ${m}\n`);
body += '\n';
}

if (hasItems(report.markdowns)) {
report.markdowns.forEach(md => body += `${md}\n\n`);
}

if (!hasItems(report.errors) &&
!hasItems(report.warnings) &&
!hasItems(report.messages) &&
!hasItems(report.markdowns)) {
body += '✅ All checks passed!';
}

const { data: comments } = await github.rest.issues.listComments({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: report.pr_number
});

const botComment = comments.find(c =>
c.user.login === 'github-actions[bot]' &&
c.body.includes('## Danger Report')
);

if (botComment) {
await github.rest.issues.updateComment({
owner: context.repo.owner,
repo: context.repo.repo,
comment_id: botComment.id,
body: body
});
} else {
await github.rest.issues.createComment({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: report.pr_number,
body: body
});
}

// Fail if there are errors
if (report.errors && report.errors.length > 0) {
core.setFailed('Danger found errors');
}
};
30 changes: 30 additions & 0 deletions .github/workflows/danger-comment.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
name: Danger Comment
on:
workflow_run:
workflows: [Danger]
types: [completed]

permissions:
actions: read
contents: read
issues: write
pull-requests: write

jobs:
comment:
runs-on: ubuntu-latest
if: github.event.workflow_run.event == 'pull_request'
steps:
- name: Checkout
Copy link
Member

@dblock dblock Dec 16, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this needed here?

Copy link
Contributor Author

@numbata numbata Dec 16, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes, to have .github/scripts/post-danger-comment.js on "Post or Update PR Comment" step, but maybe I'll just move back to have it inline in here.

Copy link
Member

@dblock dblock Dec 16, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's checking out the code from upstream, right? Otherwise you can inject things here. All good with me.

If possible to package it that'd be best, but can be taken care of later.

uses: actions/checkout@v4
with:
fetch-depth: 1
- name: Download Danger Report
uses: actions/download-artifact@v4
with:
name: danger-report
run-id: ${{ github.event.workflow_run.id }}
- name: Post or Update PR Comment
uses: actions/github-script@v7
with:
script-file: .github/scripts/post-danger-comment.js
43 changes: 26 additions & 17 deletions .github/workflows/danger.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,21 +1,30 @@
---
name: danger
on: pull_request

name: Danger
on:
pull_request:
types: [ opened, reopened, edited, synchronize ]
jobs:
danger:
name: Danger
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 100
- name: Set up Ruby
uses: ruby/setup-ruby@v1
with:
ruby-version: 3.4
bundler-cache: true
- name: Run Danger
run: |
# the token is public, has public_repo scope and belongs to the grape-bot user owned by @dblock, this is ok
TOKEN=$(echo -n Z2hwX2lYb0dPNXNyejYzOFJyaTV3QUxUdkNiS1dtblFwZTFuRXpmMwo= | base64 --decode)
DANGER_GITHUB_API_TOKEN=$TOKEN bundle exec danger --verbose
- name: Checkout
uses: actions/checkout@v3
with:
fetch-depth: 0
- name: Set up Ruby
uses: ruby/setup-ruby@v1
with:
ruby-version: 2.7
bundler-cache: true
- name: Run Danger
run: bundle exec danger dry_run --verbose
env:
DANGER_REPORT_PATH: danger_report.json
- name: Upload Danger Report
if: always()
uses: actions/upload-artifact@v4
with:
name: danger-report
path: danger_report.json
retention-days: 1
if-no-files-found: ignore
Loading