[PPSC-556] feat(action): post branded PR comments via backend webhook#230
Open
yiftach-armis wants to merge 3 commits into
Open
[PPSC-556] feat(action): post branded PR comments via backend webhook#230yiftach-armis wants to merge 3 commits into
yiftach-armis wants to merge 3 commits into
Conversation
There was a problem hiding this comment.
Pull request overview
This PR moves PR commenting for the Armis security scan from client-side formatting in the reusable workflow to a server-side, branded comment flow by sending SARIF to an Armis backend webhook (posting as armis-appsec[bot]).
Changes:
- Added
pr-commentandapi-urlinputs to the GitHub Action and implemented a new “Post Branded PR Comment” step that posts SARIF to the backend webhook (soft-fail by design). - Updated the reusable workflow to delegate PR commenting to the action (removing the prior
actions/github-scriptformatter). - Updated docs and changelog to describe branded PR comments and the new inputs / requirements.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
docs/CI-INTEGRATION.md |
Documents branded PR commenting behavior and adds pr-comment / api-url to input references. |
docs/CHANGELOG.md |
Records the new Action inputs and the workflow change/removal of the old formatter. |
action.yml |
Adds new inputs and implements the backend webhook PR comment posting logic. |
.github/workflows/reusable-security-scan.yml |
Routes PR commenting through the action and removes the in-workflow formatter block. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Send raw SARIF to the Armis backend (POST /api/v1/webhook/pr-comment) for server-side branded PR comments posted as armis-appsec[bot], instead of formatting comments client-side in the workflow. - action.yml: add pr-comment and api-url inputs plus a Post Branded PR Comment step. Resolves the API base URL (api-url/ARMIS_API_URL -> region -> production, HTTPS-enforced), exchanges client-id/secret for a JWT (Bearer) with Basic api-token fallback, builds the request body with jq, and POSTs the SARIF. Soft-fails everywhere (warn + exit 0) so commenting never fails the build. - reusable-security-scan.yml: delegate commenting to the action; remove the ~130-line github-script formatter block. - docs: document the new inputs, the armis-appsec App requirement, and changelog entries.
4ae70b0 to
5b87cb8
Compare
Test Coverage Reporttotal: (statements) 72.5% Coverage by function |
…-556) Address Copilot review on PR #230: - api-url is now exported as ARMIS_API_URL for the scan step, matching its documented 'Equivalent to ARMIS_API_URL' contract (previously the input only reached the PR-comment webhook step). - Correct the PR-comment HTTPS comment: the action enforces HTTPS for all base URLs, which is intentionally stricter than the CLI's NewAuthClient (which permits http://localhost for local dev).
…es (PPSC-556) Address Copilot review round 2 on PR #230: - Document that pr-comment requires a persisted SARIF file (keep format: sarif and set output-file); clarify in the input description, the missing-SARIF warning, and the CI-INTEGRATION docs so enabling pr-comment without output-file doesn't appear to silently do nothing. - Write the request payload and backend response to mktemp files with an EXIT trap instead of leaving pr-comment-payload.json / -response.json in the workspace, so the SARIF payload stays private and is cleaned up even on early soft-fail exits (matches the token-request file pattern).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Related Issue
Type of Change
Problem
PR comments were formatted client-side in the reusable workflow via a ~130-line
actions/github-scriptblock, posted as the generic GitHub Actions bot — branding and formatting drifted from thearmis-appsecbot used elsewhere, and any formatting change required an action release.Solution
The action now sends raw SARIF to the Armis backend (
POST /api/v1/webhook/pr-comment) for server-side branded comments posted asarmis-appsec[bot].action.ymlgainspr-commentandapi-urlinputs plus a Post Branded PR Comment step that resolves the HTTPS-enforced API base URL, exchangesclient-id/client-secretfor a JWT (with Basicapi-tokenfallback), and POSTs the SARIF — soft-failing everywhere so commenting never breaks the build. The reusable workflow delegates to the action and drops its github-script formatter, and the docs/CHANGELOG document the new inputs and thearmis-appsecApp requirement.Testing
Automated Tests
Manual Testing
The change is GitHub Actions YAML and embedded shell; behavior is exercised at runtime in CI. No Go code changed, so the suite is a regression sanity check.
Reviewer Notes
Focus on the shell in the new
action.ymlstep: API-URL resolution + HTTPS enforcement, JWT-vs-Basic auth selection, and the soft-fail (warn +exit 0) paths. Commenting requires thearmis-appsecGitHub App installed on the repo; without it the backend skips the comment while the scan still runs and uploads results.Checklist