Skip to content

Replace inline JS with gh pr comment scripts #14

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Alexanderamiri merged 3 commits into from
Mar 8, 2026
Merged

Replace inline JS with gh pr comment scripts #14

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
ce1c99b
Extract inline scripts, add registry OIDC role, remove stale repos/
Alexanderamiri Mar 8, 2026
ae512fc
Replace actions/github-script with gh pr comment
Alexanderamiri Mar 8, 2026
2f8a8d3
Merge branch 'main' into feature/clean-ci-and-registry-role
Alexanderamiri Mar 8, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
36 changes: 4 additions & 32 deletions .github/workflows/plan-review.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -66,38 +66,10 @@ jobs:

- name: Post review to PR
if: github.event_name == 'pull_request'
uses: actions/github-script@v7
with:
script: |
const fs = require('fs');
let review = '';
try {
review = fs.readFileSync('review-output.txt', 'utf8');
} catch (e) {
review = 'LLM review output not available.';
}
let resultJson = {};
try {
resultJson = JSON.parse(fs.readFileSync('review-result.json', 'utf8'));
} catch (e) {
resultJson = {risk: 'FAILED'};
}
const riskEmoji = {LOW: '\u{1F7E2}', MEDIUM: '\u{1F7E1}', HIGH: '\u{1F534}', FAILED: '\u26AA'}[resultJson.risk] || '\u26AA';

const body = [
'## LLM Plan Review',
'',
`**Risk: ${riskEmoji} ${resultJson.risk}**`,
'',
review
].join('\n');

await github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: body
});
env:
GH_TOKEN: ${{ github.token }}
PR_NUMBER: ${{ github.event.pull_request.number }}
run: sh platform/scripts/post-review-comment.sh

- name: Alert Slack on HIGH risk
if: github.event_name == 'push' && github.ref == 'refs/heads/main' && steps.review.outputs.risk_level == 'HIGH'
Expand Down
77 changes: 8 additions & 69 deletions .github/workflows/platform-ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -90,43 +90,10 @@ jobs:

- name: Post plan to PR
if: github.event_name == 'pull_request'
uses: actions/github-script@v7
with:
script: |
const fs = require('fs');
const planPath = '${{ env.TF_ROOT }}/plan-output.txt';
let plan = '';
try {
plan = fs.readFileSync(planPath, 'utf8');
} catch (e) {
plan = 'Plan output not available.';
}
// Truncate to fit GitHub comment limits
if (plan.length > 60000) {
plan = plan.substring(0, 60000) + '\n\n... (truncated)';
}
const hasChanges = '${{ steps.plan.outputs.has_changes }}' === 'true';
const status = hasChanges ? '**Changes detected** — review required.' : '**No changes** — infrastructure is up to date.';
const body = [
'## Terraform Plan',
'',
status,
'',
'<details><summary>Plan output</summary>',
'',
'```',
plan,
'```',
'',
'</details>'
].join('\n');

await github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: body
});
env:
GH_TOKEN: ${{ github.token }}
PR_NUMBER: ${{ github.event.pull_request.number }}
run: sh scripts/post-plan-comment.sh "${{ env.TF_ROOT }}/plan-output.txt" "${{ steps.plan.outputs.has_changes }}"

# --------------------------------------------------------------------------
# Review — LLM risk analysis via Bedrock
Expand Down Expand Up @@ -158,38 +125,10 @@ jobs:

- name: Post review to PR
if: github.event_name == 'pull_request'
uses: actions/github-script@v7
with:
script: |
const fs = require('fs');
let review = '';
try {
review = fs.readFileSync('review-output.txt', 'utf8');
} catch (e) {
review = 'LLM review output not available.';
}
let resultJson = {};
try {
resultJson = JSON.parse(fs.readFileSync('review-result.json', 'utf8'));
} catch (e) {
resultJson = {risk: 'FAILED'};
}
const riskEmoji = {LOW: '🟢', MEDIUM: '🟡', HIGH: '🔴', FAILED: '⚪'}[resultJson.risk] || '⚪';

const body = [
'## 🧠 LLM Plan Review',
'',
`**Risk: ${riskEmoji} ${resultJson.risk}**`,
'',
review
].join('\n');

await github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: body
});
env:
GH_TOKEN: ${{ github.token }}
PR_NUMBER: ${{ github.event.pull_request.number }}
run: sh scripts/post-review-comment.sh

- name: Post HIGH risk to Slack
if: steps.review.outputs.risk_level == 'HIGH' && github.ref == 'refs/heads/main'
Expand Down
42 changes: 4 additions & 38 deletions .github/workflows/tf-plan.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -106,41 +106,7 @@ jobs:

- name: Post plan to PR
if: github.event_name == 'pull_request'
uses: actions/github-script@v7
with:
script: |
const fs = require('fs');
const planPath = '${{ inputs.tf_root }}/plan-output.txt';
let plan = '';
try {
plan = fs.readFileSync(planPath, 'utf8');
} catch (e) {
plan = 'Plan output not available.';
}
if (plan.length > 60000) {
plan = plan.substring(0, 60000) + '\n\n... (truncated)';
}
const hasChanges = '${{ steps.plan.outputs.has_changes }}' === 'true';
const status = hasChanges
? '**Changes detected** — review required.'
: '**No changes** — infrastructure is up to date.';
const body = [
'## Terraform Plan',
'',
status,
'',
'<details><summary>Plan output</summary>',
'',
'```',
plan,
'```',
'',
'</details>'
].join('\n');

await github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: body
});
env:
GH_TOKEN: ${{ github.token }}
PR_NUMBER: ${{ github.event.pull_request.number }}
run: sh .platform/scripts/post-plan-comment.sh "${{ inputs.tf_root }}/plan-output.txt" "${{ steps.plan.outputs.has_changes }}"
35 changes: 35 additions & 0 deletions scripts/post-plan-comment.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
#!/bin/sh
# Post terraform plan output as a PR comment.
#
# Usage: post-plan-comment.sh <plan-output-file> <has_changes>
#
# Env: GH_TOKEN (or gh auth), GITHUB_REPOSITORY, PR_NUMBER

set -e

PLAN_FILE="$1"
HAS_CHANGES="$2"

if [ "$HAS_CHANGES" = "true" ]; then
STATUS="**Changes detected** — review required."
else
STATUS="**No changes** — infrastructure is up to date."
fi

PLAN=$(head -c 60000 "$PLAN_FILE" 2>/dev/null || echo "Plan output not available.")

cat > /tmp/plan-comment.md <<EOF
## Terraform Plan

${STATUS}

<details><summary>Plan output</summary>

\`\`\`
${PLAN}
\`\`\`

</details>
EOF

gh pr comment "$PR_NUMBER" --repo "$GITHUB_REPOSITORY" --body-file /tmp/plan-comment.md
29 changes: 29 additions & 0 deletions scripts/post-review-comment.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
#!/bin/sh
# Post LLM review result as a PR comment.
#
# Usage: post-review-comment.sh
#
# Reads review-result.json and review-output.txt from current directory.
# Env: GH_TOKEN (or gh auth), GITHUB_REPOSITORY, PR_NUMBER

set -e

RISK=$(jq -r '.risk // "FAILED"' review-result.json 2>/dev/null || echo "FAILED")
REVIEW=$(cat review-output.txt 2>/dev/null || echo "LLM review output not available.")

case "$RISK" in
LOW) EMOJI="🟢" ;;
MEDIUM) EMOJI="🟡" ;;
HIGH) EMOJI="🔴" ;;
*) EMOJI="⚪" ;;
esac

cat > /tmp/review-comment.md <<EOF
## LLM Plan Review

**Risk: ${EMOJI} ${RISK}**

${REVIEW}
EOF

gh pr comment "$PR_NUMBER" --repo "$GITHUB_REPOSITORY" --body-file /tmp/review-comment.md