Do not comment on PRs

snazy · snazy · commit 70b55cfd9f4e · 2026-02-27T17:02:13.000+01:00
diff --git a/.github/workflows/check-project-actions.yml b/.github/workflows/check-project-actions.yml
@@ -65,7 +65,6 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       contents: read
-      pull-requests: write
     steps:
       - name: "Checkout apache/infrastructure-actions"
         uses: actions/checkout@v2
@@ -92,10 +91,3 @@ jobs:
 
           import check_repository_actions as c
           c.check_project_actions('./repository-to-be-checked', './approved_patterns.yml')
-
-      - name: Comment on PR
-        if: failure() && github.event_name == 'pull_request'
-        env:
-          GH_TOKEN: ${{ github.token }}
-        run:
-          gh pr --repo ${{ github.repository }} comment ${{ github.event.pull_request.number }} --body-file step-summary-output.txt
diff --git a/README.md b/README.md
@@ -27,8 +27,6 @@ jobs:
     permissions:
       # Only read access to the repository's content
       contents: read
-      # Allow the workflow to add a comment to a PR in case the actions-verification failed
-      pull-requests: write
 ```
 
 When calling the `check-project-actions` workflow from a `push` or `pull_request` event, it should work
diff --git a/check-actions-usage/sample-ci-workflow.yml b/check-actions-usage/sample-ci-workflow.yml
@@ -32,6 +32,11 @@ on:
     paths:
       - ".github/**"
 
+permissions:
+  # Only read access is required.
+  contents: read
+  # All other permissions are "none".
+
 jobs:
   # This is the job that verifies your project's usage of approved GitHub actions
   check:
@@ -40,9 +45,6 @@ jobs:
     permissions:
       # Only read access to the repository's content.
       contents: read
-      # Allow the workflow to add a comment to a PR in case the actions-verification failed.
-      # This is required to run the workflow.
-      pull-requests: write
       # All other permissions are "none".
     # Optionally, you can specify a different repository and/or ref to check. These options are passed to
     # GitHub actions/checkout, see https://github.com/actions/checkout?tab=readme-ov-file#usage for details.
diff --git a/gateway/check_repository_actions.py b/gateway/check_repository_actions.py
@@ -159,33 +159,23 @@ def check_project_actions(repository: str | os.PathLike, approved_patterns_file:
                         failures.append(f"❌ {relative_path} {yaml_path}: '{uses_value}' is not approved")
 
     if on_gha():
-        summary_lines: list[str] = [
-            "# GitHub Actions verification result",
-            "",
-            "For more information visit the [ASF Infrastructure GitHub Actions Policy](https://infra.apache.org/github-actions-policy.html) page",
-            "and the [ASF Infrastructure Actions](https://github.com/apache/infrastructure-actions) repository.",
-        ]
-
-        if len(failures) > 0:
-            summary_lines.extend(["", f"## Failures ({len(failures)})"])
-            for msg in failures:
-                summary_lines.extend([msg, ""])
-
-        if len(warnings) > 0:
-            summary_lines.extend(["", f"## Warnings ({len(warnings)})"])
-            for msg in warnings:
-                summary_lines.extend([msg, ""])
-
-        if len(failures) == 0:
-            summary_lines.append("✅ Success, all action usages match the currently approved patterns.")
-
-        summary_text = "\n".join(summary_lines).rstrip() + "\n"
-
         with open(os.environ["GITHUB_STEP_SUMMARY"], "a") as f:
-            f.write(summary_text)
-        # This file is used in the workflow to post a comment on a pull request.
-        with open("step-summary-output.txt", "a") as f:
-            f.write(summary_text)
+            f.write(f"# GitHub Actions verification result\n")
+            f.write("\n")
+            f.write("For more information visit the [ASF Infrastructure GitHub Actions Policy](https://infra.apache.org/github-actions-policy.html) page\n")
+            f.write("and the [ASF Infrastructure Actions](https://github.com/apache/infrastructure-actions) repository.\n")
+            if len(failures) > 0:
+                f.write("\n")
+                f.write(f"## Failures ({len(failures)})\n")
+                for msg in failures:
+                    f.write(f"{msg}\n\n")
+            if len(warnings) > 0:
+                f.write("\n")
+                f.write(f"## Warnings ({len(warnings)})\n")
+                for msg in warnings:
+                    f.write(f"{msg}\n\n")
+            if len(failures) == 0:
+                f.write(f"✅ Success, all action usages match the currently approved patterns.\n")
 
     if len(failures) > 0:
         raise Exception(f"One or more action references are not approved or explicitly blocked:\n{"\n".join(failures)}")
