Remove API token requirement from Danger workflow

numbata · numbata · commit f7113a2c7387 · 2025-12-07T02:35:51.000+01:00
Use secure two-workflow pattern from dblock's blog post:
- First workflow runs on pull_request, executes danger dry_run
  without write permissions, uploads JSON report as artifact
- Second workflow runs on workflow_run after first completes,
  downloads artifact and posts PR comment with write access

This is secure because untrusted fork code never has access to
write permissions. The comment workflow runs trusted code from
the base branch.

Inlined Dangerfile checks from ruby-grape-danger to avoid plugins
that require GitHub API methods not available in dry_run mode.
diff --git a/.github/workflows/danger-comment.yml b/.github/workflows/danger-comment.yml
@@ -0,0 +1,89 @@
+---
+name: danger-comment
+on:
+  workflow_run:
+    workflows: [danger]
+    types: [completed]
+
+permissions:
+  contents: read
+  pull-requests: write
+
+jobs:
+  comment:
+    runs-on: ubuntu-latest
+    if: >
+      github.event.workflow_run.event == 'pull_request' &&
+      github.event.workflow_run.pull_requests[0]
+    steps:
+    - name: Download Danger report
+      uses: actions/download-artifact@v6
+      with:
+        name: danger-report
+        github-token: ${{ github.token }}
+        run-id: ${{ github.event.workflow_run.id }}
+    - name: Post or update PR comment
+      uses: actions/github-script@v8
+      with:
+        script: |
+          const fs = require('fs');
+          const report = JSON.parse(fs.readFileSync('danger_report.json', 'utf8'));
+
+          let body = '## Danger Report\n\n';
+
+          if (report.errors && report.errors.length > 0) {
+            body += '### Errors\n';
+            report.errors.forEach(e => body += `- :no_entry_sign: ${e}\n`);
+            body += '\n';
+          }
+
+          if (report.warnings && report.warnings.length > 0) {
+            body += '### Warnings\n';
+            report.warnings.forEach(w => body += `- :warning: ${w}\n`);
+            body += '\n';
+          }
+
+          if (report.messages && report.messages.length > 0) {
+            body += '### Messages\n';
+            report.messages.forEach(m => body += `- :book: ${m}\n`);
+            body += '\n';
+          }
+
+          if ((!report.errors || report.errors.length === 0) &&
+              (!report.warnings || report.warnings.length === 0) &&
+              (!report.messages || report.messages.length === 0)) {
+            body += ':white_check_mark: All checks passed!';
+          }
+
+          const prNumber = ${{ github.event.workflow_run.pull_requests[0].number }};
+          const { data: comments } = await github.rest.issues.listComments({
+            owner: context.repo.owner,
+            repo: context.repo.repo,
+            issue_number: prNumber
+          });
+
+          const botComment = comments.find(c =>
+            c.user.login === 'github-actions[bot]' &&
+            c.body.includes('## Danger Report')
+          );
+
+          if (botComment) {
+            await github.rest.issues.updateComment({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              comment_id: botComment.id,
+              body: body
+            });
+          } else {
+            await github.rest.issues.createComment({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: prNumber,
+              body: body
+            });
+          }
+
+          // Fail if there are errors
+          if (report.errors && report.errors.length > 0) {
+            core.setFailed('Danger found errors');
+          }
diff --git a/.github/workflows/danger.yml b/.github/workflows/danger.yml
@@ -6,16 +6,22 @@ jobs:
   danger:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@v6
       with:
-        fetch-depth: 100    
+        fetch-depth: 0
     - name: Set up Ruby
       uses: ruby/setup-ruby@v1
       with:
         ruby-version: 3.4
         bundler-cache: true
     - name: Run Danger
-      run: |
-        # the token is public, has public_repo scope and belongs to the grape-bot user owned by @dblock, this is ok
-        TOKEN=$(echo -n Z2hwX2lYb0dPNXNyejYzOFJyaTV3QUxUdkNiS1dtblFwZTFuRXpmMwo= | base64 --decode)
-        DANGER_GITHUB_API_TOKEN=$TOKEN bundle exec danger --verbose
+      env:
+        BASE_SHA: ${{ github.event.pull_request.base.sha }}
+        HEAD_SHA: ${{ github.event.pull_request.head.sha }}
+        DANGER_REPORT_PATH: danger_report.json
+      run: bundle exec danger dry_run --base=$BASE_SHA --head=$HEAD_SHA --verbose
+    - name: Upload Danger report
+      uses: actions/upload-artifact@v5
+      with:
+        name: danger-report
+        path: danger_report.json
diff --git a/Dangerfile b/Dangerfile
@@ -1,3 +1,44 @@
 # frozen_string_literal: true
 
-danger.import_dangerfile(gem: 'ruby-grape-danger')
+# Inline checks from ruby-grape-danger (avoids plugins requiring GitHub API token)
+
+has_app_changes = !git.modified_files.grep(/lib/).empty?
+has_spec_changes = !git.modified_files.grep(/spec/).empty?
+
+if has_app_changes && !has_spec_changes
+  warn("There're library changes, but not tests. That's OK as long as you're refactoring existing code.", sticky: false)
+end
+
+if !has_app_changes && has_spec_changes
+  message('We really appreciate pull requests that demonstrate issues, even without a fix. That said, the next step is to try and fix the failing tests!', sticky: false)
+end
+
+# Simplified changelog check (replaces danger-changelog plugin which requires github.* methods)
+# Note: toc.check! from danger-toc plugin removed (not essential for CI)
+has_changelog_changes = git.modified_files.include?('CHANGELOG.md') || git.added_files.include?('CHANGELOG.md')
+if has_app_changes && !has_changelog_changes
+  warn('Please update CHANGELOG.md with a description of your changes.', sticky: false)
+end
+
+(git.modified_files + git.added_files - %w[Dangerfile]).each do |file|
+  next unless File.file?(file)
+
+  contents = File.read(file)
+  if file.start_with?('spec')
+    fail("`xit` or `fit` left in tests (#{file})") if contents =~ /^\w*[xf]it/
+    fail("`fdescribe` left in tests (#{file})") if contents =~ /^\w*fdescribe/
+  end
+end
+
+# Output JSON report for GitHub Actions workflow_run to post as PR comment
+if ENV['DANGER_REPORT_PATH']
+  require 'json'
+
+  report = {
+    errors: violation_report[:errors].map(&:message),
+    warnings: violation_report[:warnings].map(&:message),
+    messages: violation_report[:messages].map(&:message)
+  }
+
+  File.write(ENV['DANGER_REPORT_PATH'], JSON.pretty_generate(report))
+end
