# Modelled after https://securitylab.github.com/research/github-actions-preventing-pwn-requests/

name: Post PR Suggestions

on:
  workflow_run:
    workflows: ["PR Suggestions"]
    types:
      - completed

jobs:
  comment:
    runs-on: ubuntu-latest
    if: >
      ${{ github.event.workflow_run.event == 'pull_request' &&
      github.event.workflow_run.conclusion == 'success' }}

    steps:
      - name: 'Download artifact'
        uses: actions/github-script@v6
        with:
          script: |
            var artifacts = await github.rest.actions.listWorkflowRunArtifacts({
               owner: context.repo.owner,
               repo: context.repo.repo,
               run_id: ${{github.event.workflow_run.id }},
            });
            var matchArtifact = artifacts.data.artifacts.filter((artifact) => {
              return artifact.name == "pr"
            })[0];
            var download = await github.rest.actions.downloadArtifact({
               owner: context.repo.owner,
               repo: context.repo.repo,
               artifact_id: matchArtifact.id,
               archive_format: 'zip',
            });
            var fs = require('fs');
            fs.writeFileSync('${{github.workspace}}/pr.zip', Buffer.from(download.data));
      - run: unzip pr.zip

      - uses: actions/github-script@v6
        with:
          script: |
            const { promises: fs } = require('fs')
            const event = (await fs.readFile('event', 'utf8')).trim()
            const body = (await fs.readFile('body', 'utf8')).trim()
            const issue_number = Number(await fs.readFile('./NR'));

            var req = {
              owner: context.repo.owner,
              pull_number: issue_number,
              repo: context.repo.repo,
              event: event
            };
            if (body !== "") {
              req.body = body;
            }
            await github.rest.pulls.createReview(req);