chore: disable slither failures and post results as markdown in PRs (#26

) * chore: disable slither failures and post results as markdown in PRs * fix: use the buildjet actions for python * fix: posting slither output per crytic/slither-action#62 * fix: add pull-requests write permission for slither * fix: add other default permissions
Storm-Labs-Inc · Sep 14, 2023 · b4d939b · b4d939b
1 parent cd7a707
commit b4d939b
Show file tree

Hide file tree

Showing 2 changed files with 49 additions and 4 deletions.
diff --git a/.github/scripts/comment.js b/.github/scripts/comment.js
@@ -0,0 +1,26 @@
+module.exports = async ({ github, context, header, body }) => {
+  const comment = [header, body].join("\n");
+
+  const { data: comments } = await github.rest.issues.listComments({
+    owner: context.repo.owner,
+    repo: context.repo.repo,
+    issue_number: context.payload.number,
+  });
+
+  const botComment = comments.find(
+    (comment) =>
+      // github-actions bot user
+      comment.user.id === 41898282 && comment.body.startsWith(header)
+  );
+
+  const commentFn = botComment ? "updateComment" : "createComment";
+
+  await github.rest.issues[commentFn]({
+    owner: context.repo.owner,
+    repo: context.repo.repo,
+    body: comment,
+    ...(botComment
+      ? { comment_id: botComment.id }
+      : { issue_number: context.payload.number }),
+  });
+};
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -46,6 +46,10 @@ jobs:
   slither:
     name: Slither
     runs-on: buildjet-4vcpu-ubuntu-2204
+    permissions:
+      contents: read
+      packages: read
+      pull-requests: write
     steps:
       - uses: actions/checkout@v3
         with:
@@ -81,11 +85,26 @@ jobs:
         uses: crytic/[email protected]
         id: slither
         with:
+          # TODO: re-enable this before audits
+          fail-on: none
           ignore-compile: true
-          sarif: results.sarif
           node-version: ${{ env.NODE_VERSION }}
+          slither-args:
+            --checklist --markdown-root ${{ github.server_url }}/${{ github.repository }}/blob/${{ github.sha }}/
           slither-config: slither.config.json
 
+      - name: Create/update checklist as PR comment
+        uses: actions/github-script@v6
+        if: github.event_name == 'pull_request'
+        env:
+          REPORT: ${{ steps.slither.outputs.stdout }}
+        with:
+          script: |
+            const script = require('.github/scripts/comment')
+            const header = '# Slither report'
+            const body = process.env.REPORT
+            await script({ github, context, header, body })
+
   test:
     name: Test
     runs-on: buildjet-2vcpu-ubuntu-2204
@@ -111,7 +130,7 @@ jobs:
         run: pnpm install
 
       - name: Install Python
-        uses: actions/setup-python@v4
+        uses: buildjet/setup-python@v4
         with:
           python-version: ${{ env.PYTHON_VERSION }}
           cache: "pip"
@@ -161,7 +180,7 @@ jobs:
         run: pnpm install
 
       - name: Install Python
-        uses: actions/setup-python@v4
+        uses: buildjet/setup-python@v4
         with:
           python-version: ${{ env.PYTHON_VERSION }}
           cache: "pip"
@@ -232,7 +251,7 @@ jobs:
         run: pnpm install
 
       - name: Install Python
-        uses: actions/setup-python@v4
+        uses: buildjet/setup-python@v4
         with:
           python-version: ${{ env.PYTHON_VERSION }}
           cache: "pip"