CLOUDP-317733: Code coverage report fails for forks

[jeroenvervaeke]

Proposed changes

Split the code coverage and commenting workflow into 2 workflows:

1. The original workflow still runs code coverage and compares the code coverage like before, with a read-only token
   • Instead of commenting we save the comment as an artifact
2. code-heatlth-comment-coverage.yml runs on the base of the branch (for security) with a write token and comments.

Jira ticket: CLOUDP-317733

[fmenezes]

LGTM, I don't see the comment on this PR, did something happen?

[jeroenvervaeke]

LGTM, I don't see the comment on this PR, did something happen?

You're right, back to the drawing board. As you pointed out offline, workflow_run only runs on master and not PRs

[fmenezes]

I would change

- name: Comment PR
  uses: marocchino/sticky-pull-request-comment@67d0dec7b07ed060a405f9b2a64b8ab319fdd7db

to

- name: Comment PR
  uses: marocchino/sticky-pull-request-comment@67d0dec7b07ed060a405f9b2a64b8ab319fdd7db
  if: github.event.pull_request.head.repo.full_name == github.repository

and call it a day for this PR, then you open a new jira about making the comment on forks

I mean we can still see it on action summary, we just need to make sure anyone can see it

[fmenezes]

[q] do you need both pull_request_target and pull_request ?

[fmenezes]

I tihnk pull_request_target only triggers on forks not normal PRs https://docs.github.com/en/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows#pull_request_target

[jeroenvervaeke]

No, but it limits the permissions:

For workflows that are triggered by the pull_request_target event, the GITHUB_TOKEN is granted read/write repository permission unless the permissions key is specified and the workflow can access secre

[github-actions]

Coverage Report 📈

Branch	Commit	Coverage
master	b96671e	25.1%
CLOUDP-317733	3d3bd5e	25.1%
	Difference	0%