The metrics bot runs on: [pull_request_target] meaning it operates on the target ie. master branch not on the branch requesting to be pulled.
For example: In this pr: #80 there are two commits. One that doesn't influence metrics at all and one that yields an error rate of 100% but the bot comments the same error rate of 15% on both.
So the metrics should either be done on push, on pull_request with some setup not requiring access to secrets, or remain on pull_request_target but explicitly checkout the pr branch after human approval.
The metrics bot runs
on: [pull_request_target]meaning it operates on the target ie. master branch not on the branch requesting to be pulled.For example: In this pr: #80 there are two commits. One that doesn't influence metrics at all and one that yields an error rate of 100% but the bot comments the same error rate of 15% on both.
So the metrics should either be done on
push, onpull_requestwith some setup not requiring access to secrets, or remain onpull_request_targetbut explicitly checkout the pr branch after human approval.