feat: Comment Audit result on PR (only on errors)

.github/workflows/build.yaml

@@ -74,7 +74,20 @@ jobs:
 
     # Audit all currently installed packages for security vulnerabilities.
     - name: Audit installed packages
-      run: make audit
+      id: audit-packages
+      continue-on-error: true
+      run: make --silent audit > vulnerabilities.txt
+
+    # Upload the vulnerabilities file output.
+    - name: Upload Artifact
+      id: upload-audit-artifact
+      uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb #v3.1.1
+      with:
+        name: vulnerabilities.txt
+        path: .
+        if-no-files-found: error
+        retention-days: 1
+      if: steps.audit-packages.outputs.exit_code == 1
 
     # Build the sdist and wheel distribution of the package and docs as a zip file.
     # We don't need to check and test the package separately because `make dist` runs

.github/workflows/pr-change-set.yaml

@@ -18,3 +18,23 @@ jobs:
     uses: ./.github/workflows/build.yaml
     permissions:
       contents: read
+
+  comment-audit:
+    runs-on: ubuntu-latest
+    permissions:
+          pull-requests: write
+    needs: build
+    steps:
+
+    - name: Download artifact from Build
+      uses: actions/download-artifact@9782bd6a9848b53b110e712e20e42d89988822b7 #v3
+      if: steps.audit-packages.outputs.exit_code == 1 
+      with:
+        name: vulnerabilities.txt
+
+    - name: comment PR
+      id: comment-pr
+      run: gh pr comment ${{ github.event.number }} --body-file vulnerabilities.txt
+      if: steps.audit-packages.outputs.exit_code == 1
+      env:
+        GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/pr-conventional-commits.yaml

@@ -52,4 +52,4 @@ jobs:
       env:
         PR_BASE_REF: ${{ github.event.pull_request.base.ref }}
         PR_HEAD_REF: ${{ github.event.pull_request.head.ref }}
-        PR_HEAD_REPO_CLONE_URL: ${{ github.event.pull_request.head.repo.clone_url }}
+        PR_HEAD_REPO_CLONE_URL: ${{ github.event.pull_request.head.repo.clone_url }}