From 752c7662567681e78f53c9a5cc9af94e0d7709de Mon Sep 17 00:00:00 2001
From: Josh Soref <2119212+jsoref@users.noreply.github.com>
Date: Thu, 29 Feb 2024 08:05:36 -0500
Subject: [PATCH 1/4] provide coverage in step summary (action script)

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>
---
 .github/workflows/coverage.yaml | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/coverage.yaml b/.github/workflows/coverage.yaml
index 2c1fed77b..9453e9eb3 100644
--- a/.github/workflows/coverage.yaml
+++ b/.github/workflows/coverage.yaml
@@ -55,10 +55,12 @@ jobs:
             const pr = ${{fromJson(needs.coverage.outputs.cov-pr).totals.percent_covered}};
             const main = ${{fromJson(needs.coverage.outputs.cov-main).totals.percent_covered}};
             const diff = pr - main;
+            const report = `### Coverage report
+            **Main**: ${main.toFixed(2)}% | **PR**: ${pr.toFixed(2)}% | **Diff: ${diff.toFixed(2)} ${diff >= 0 ? '✅' : '⚠️'}**`;
+            await core.summary.addRaw(report).write()
             github.rest.issues.createComment({
               issue_number: context.issue.number,
               owner: context.repo.owner,
               repo: context.repo.repo,
-              body: `### Coverage report
-              **Main**: ${main.toFixed(2)}% | **PR**: ${pr.toFixed(2)}% | **Diff: ${diff.toFixed(2)} ${diff >= 0 ? '✅' : '⚠️'}**`
+              body: report
             })

From 53db407b3dbfbaa643c3b4590e6a7cd761c8183e Mon Sep 17 00:00:00 2001
From: Josh Soref <2119212+jsoref@users.noreply.github.com>
Date: Thu, 29 Feb 2024 08:06:12 -0500
Subject: [PATCH 2/4] add permissions for paranoid repositories to coverage
 report

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>
---
 .github/workflows/coverage.yaml | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/.github/workflows/coverage.yaml b/.github/workflows/coverage.yaml
index 9453e9eb3..f43d8448f 100644
--- a/.github/workflows/coverage.yaml
+++ b/.github/workflows/coverage.yaml
@@ -2,6 +2,10 @@ name: coverage
 
 on: [push]
 
+# limit default permissions to just read-only checkouts
+permissions:
+  contents: read
+
 jobs:
   coverage:
     runs-on: ubuntu-latest
@@ -48,6 +52,10 @@ jobs:
   comment:
     runs-on: ubuntu-latest
     needs: [coverage]
+    permissions:
+      # needed to add coverage comment to the pull request
+      pull-requests: write
+
     steps:
       - uses: actions/github-script@v6
         with:

From 0175c83a468821711694db9056765025810180a3 Mon Sep 17 00:00:00 2001
From: Josh Soref <2119212+jsoref@users.noreply.github.com>
Date: Thu, 29 Feb 2024 10:07:53 -0500
Subject: [PATCH 3/4] tolerate failure to post comment in PRs from forks

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>
---
 .github/workflows/coverage.yaml | 16 ++++++++++------
 1 file changed, 10 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/coverage.yaml b/.github/workflows/coverage.yaml
index f43d8448f..f0a2ffb4b 100644
--- a/.github/workflows/coverage.yaml
+++ b/.github/workflows/coverage.yaml
@@ -66,9 +66,13 @@ jobs:
             const report = `### Coverage report
             **Main**: ${main.toFixed(2)}% | **PR**: ${pr.toFixed(2)}% | **Diff: ${diff.toFixed(2)} ${diff >= 0 ? '✅' : '⚠️'}**`;
             await core.summary.addRaw(report).write()
-            github.rest.issues.createComment({
-              issue_number: context.issue.number,
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              body: report
-            })
+            try {
+              github.rest.issues.createComment({
+                issue_number: context.issue.number,
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                body: report
+              })
+            } catch (e) {
+              console.log("Could not post comment to pull request", e)
+            }

From 8c765ebb867a2063ef21189882d68cef3e81067f Mon Sep 17 00:00:00 2001
From: Josh Soref <2119212+jsoref@users.noreply.github.com>
Date: Thu, 7 Mar 2024 15:26:02 -0500
Subject: [PATCH 4/4] Switch to running on pull requests

---
 .github/workflows/coverage.yaml | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/coverage.yaml b/.github/workflows/coverage.yaml
index f0a2ffb4b..f1a5527e2 100644
--- a/.github/workflows/coverage.yaml
+++ b/.github/workflows/coverage.yaml
@@ -1,6 +1,8 @@
 name: coverage
 
-on: [push]
+on:
+  # this allows for `contents: write` and `pull-requests: write` from forks
+  pull_request_target:
 
 # limit default permissions to just read-only checkouts
 permissions:
@@ -19,7 +21,8 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v3
         with:
-          ref: ${{ matrix.branch == 'main' && 'main' || '' }}
+          # for safety, `pull_request_target` changes the default checkout to be the target branch, so we have to request the merge (we're limited to `permissions: {contents: read}`, so this is ok)
+          ref: ${{ matrix.branch == 'main' && 'main' || (github.event.pull_request && format('refs/pull/{0}/merge', github.event.pull_request.number)) || '' }}
 
       - name: Bazel cache
         id: bazel-cache