This is an automated email from the ASF dual-hosted git repository.
github-merge-queue[bot] pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/datafusion.git
The following commit(s) were added to refs/heads/main by this push:
new f70dacb050 ci(breaking-change-detector): don't use
`maintain-one-comment` and instead do it manually (#22568)
f70dacb050 is described below
commit f70dacb050b365f20f54645cc3a8ae138e35e1d0
Author: Raz Luvaton <[email protected]>
AuthorDate: Thu May 28 19:14:15 2026 +0300
ci(breaking-change-detector): don't use `maintain-one-comment` and instead
do it manually (#22568)
the comment and label for breaking change detector is not working for 8
days already, (it was noticed by @neilconway)
after searching the issue is that
[`actions-cool/maintain-one-comment`](https://github.com/actions-cool/maintain-one-comment)
that we used was compromised and was removed from github.
we did not used the malicious commit fortunately.
this change the comment logic to be manual instead of using that action
See more:
- [actions-cool/issues-helper GitHub Action Compromised: All Tags Point
to Imposter Commit That Exfiltrates CI/CD Credentials Blog
post](https://www.stepsecurity.io/blog/actions-cool-issues-helper-github-action-compromised-all-tags-point-to-imposter-commit-that-exfiltrates-ci-cd-credentials)
Issue to remove the action from asf allow list:
- https://github.com/apache/infrastructure-actions/issues/891
---
.../breaking_changes_detector_comment.yml | 85 ++++++++++++++--------
1 file changed, 56 insertions(+), 29 deletions(-)
diff --git a/.github/workflows/breaking_changes_detector_comment.yml
b/.github/workflows/breaking_changes_detector_comment.yml
index 579c61cb9d..f3a3400d00 100644
--- a/.github/workflows/breaking_changes_detector_comment.yml
+++ b/.github/workflows/breaking_changes_detector_comment.yml
@@ -104,39 +104,66 @@ jobs:
echo "${DELIM}"
} >> "$GITHUB_OUTPUT"
- # The marker `<!-- semver-check-comment -->` is what makes the comment
- # "sticky": maintain-one-comment uses it to find and replace (or
- # delete) the existing comment instead of stacking new ones.
+
+ # Find any existing sticky comment by its hidden marker so we can update
+ # or delete it instead of stacking new ones.
+ - name: Find existing sticky comment
+ id: find
+ env:
+ GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+ REPO: ${{ github.repository }}
+ PR_NUMBER: ${{ steps.read.outputs.pr_number }}
+ run: |
+ COMMENT_ID=$(gh api --paginate
"repos/${REPO}/issues/${PR_NUMBER}/comments" \
+ --jq '.[] | select(.body | contains("<!-- semver-check-comment
-->")) | .id' \
+ | head -n1)
+ echo "comment_id=${COMMENT_ID}" >> "$GITHUB_OUTPUT"
+
+ # update the existing comment found above, or create a new one. The
hidden
+ # marker `<!-- semver-check-comment -->` stays in the body so the next
run
+ # finds it again. LOGS is interpolated via a shell parameter expansion,
+ # whose result bash does not re-scan, so untrusted log content cannot
+ # inject further commands.
- name: Upsert sticky comment
if: steps.read.outputs.result != 'success'
- uses:
actions-cool/maintain-one-comment@909842216bc8e8658364c572ec52100f4c2cc50a #
v3.3.0
- with:
- token: ${{ secrets.GITHUB_TOKEN }}
- number: ${{ steps.read.outputs.pr_number }}
- body-include: '<!-- semver-check-comment -->'
- body: |
- <!-- semver-check-comment -->
- Thank you for opening this pull request!
-
- Reviewer note:
[cargo-semver-checks](https://github.com/obi1kenobi/cargo-semver-checks)
reported the current version number is not SemVer-compatible with the changes
in this pull request (compared against the base branch).
-
- <details>
- <summary>Details</summary>
-
- ```
- ${{ steps.read.outputs.logs }}
- ```
-
- </details>
+ env:
+ GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+ REPO: ${{ github.repository }}
+ PR_NUMBER: ${{ steps.read.outputs.pr_number }}
+ COMMENT_ID: ${{ steps.find.outputs.comment_id }}
+ LOGS: ${{ steps.read.outputs.logs }}
+ run: |
+ set -euo pipefail
+ BODY="<!-- semver-check-comment -->
+ Thank you for opening this pull request!
+
+ Reviewer note:
[cargo-semver-checks](https://github.com/obi1kenobi/cargo-semver-checks)
reported the current version number is not SemVer-compatible with the changes
in this pull request (compared against the base branch).
+
+ <details>
+ <summary>Details</summary>
+
+ \`\`\`
+ ${LOGS}
+ \`\`\`
+
+ </details>"
+
+ # Use --raw-field (not --field): always sends the value as a literal
string. while --field would treat a leading `@` as a file to read
+ # (even though the body does not start with user input we are being
cautious)
+ if [ -n "$COMMENT_ID" ]; then
+ gh api "repos/${REPO}/issues/comments/${COMMENT_ID}" --method
PATCH --raw-field body="$BODY"
+ else
+ gh api "repos/${REPO}/issues/${PR_NUMBER}/comments" --method POST
--raw-field body="$BODY"
+ fi
+ # Clear a stale comment once the breaking change is resolved.
- name: Delete sticky comment
- if: steps.read.outputs.result == 'success'
- uses:
actions-cool/maintain-one-comment@909842216bc8e8658364c572ec52100f4c2cc50a #
v3.3.0
- with:
- token: ${{ secrets.GITHUB_TOKEN }}
- number: ${{ steps.read.outputs.pr_number }}
- body-include: '<!-- semver-check-comment -->'
- delete: true
+ if: steps.read.outputs.result == 'success' &&
steps.find.outputs.comment_id != ''
+ env:
+ GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+ REPO: ${{ github.repository }}
+ COMMENT_ID: ${{ steps.find.outputs.comment_id }}
+ run: gh api -X DELETE "repos/${REPO}/issues/comments/${COMMENT_ID}"
- name: Add "auto detected api change" label
if: steps.read.outputs.result != 'success'
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
