runtoolkit · tickwarden · May 25, 2026 · May 25, 2026
diff --git a/.github/workflows/pr-security-scan.yml b/.github/workflows/pr-security-scan.yml
@@ -1,4 +1,34 @@
-- name: Check if PR author is org admin
+name: PR Security Scan
+on:
+  pull_request:
+    types: [opened, synchronize, reopened]
+permissions:
+  contents: read
+  pull-requests: write
+env:
+  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
+jobs:
+  scan:
+    name: Scan PR for malicious patterns
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout PR branch
+        uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+
+      - name: Get changed files
+        id: changed
+        run: |
+          git fetch origin ${{ github.base_ref }} --depth=1
+          CHANGED=$(git diff --name-only origin/${{ github.base_ref }}...HEAD)
+          echo "Changed files:"
+          echo "$CHANGED"
+          echo "files<<EOF" >> $GITHUB_OUTPUT
+          echo "$CHANGED" >> $GITHUB_OUTPUT
+          echo "EOF" >> $GITHUB_OUTPUT
+
+      - name: Check if PR author is org admin
         id: admin_check
         uses: actions/github-script@v8
         with:
@@ -15,4 +45,48 @@
         env:
           CHANGED_FILES: ${{ steps.changed.outputs.files }}
           PR_AUTHOR_IS_ADMIN: ${{ steps.admin_check.outputs.is_admin }}
-        run: python3 .github/scripts/pr_security_scan.py
+        run: python3 .github/scripts/pr_security_scan.py
+
+      - name: Post scan results as PR comment
+        if: always() && steps.mcf_scan.outcome != 'skipped'
+        uses: actions/github-script@v8
+        with:
+          script: |
+            const fs = require('fs');
+            const reportPath = '/tmp/scan_report.md';
+            if (!fs.existsSync(reportPath)) {
+              console.log('No issues found — skipping comment.');
+              return;
+            }
+            const body = fs.readFileSync(reportPath, 'utf8');
+            const { data: comments } = await github.rest.issues.listComments({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: context.issue.number,
+            });
+            const existing = comments.find(c =>
+              c.user.login === 'github-actions[bot]' &&
+              c.body.includes('PR Security Scan')
+            );
+            if (existing) {
+              await github.rest.issues.updateComment({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                comment_id: existing.id,
+                body,
+              });
+            } else {
+              await github.rest.issues.createComment({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                issue_number: context.issue.number,
+                body,
+              });
+            }
+
+      - name: Fail on CRITICAL or HIGH findings
+        if: steps.mcf_scan.outcome == 'failure'
+        run: |
+          echo "PR blocked: CRITICAL or HIGH severity findings detected."
+          echo "Review the scan report above before merging."
+          exit 1