ci: post sticky PR comment with fallow audit findings

jrusso1020 · jrusso1020 · commit 7c1098daaa20 · 2026-05-19T02:21:48.000Z
Reviewers shouldn't have to dig through CI logs to see what fallow
flagged. With this change, on every PR the fallow job posts (or
updates) a sticky comment containing the full audit report formatted
as a collapsible markdown table.

The comment uses fallow's built-in `pr-comment-github` format, which
already emits a `&lt;!-- fallow-id: fallow-results --&gt;` sentinel.
`marocchino/sticky-pull-request-comment@v2.9.1` matches that header so
each run replaces the previous comment instead of stacking new ones.

The job now runs in three steps:
1. Run `fallow audit ... --format pr-comment-github` with
   `continue-on-error: true` so the comment posts even when the audit
   fails. Exit code is captured.
2. Post (or update) the sticky comment with the captured output.
3. Re-emit the audit exit code so the job still fails-the-build on
   new findings.

Bumps the workflow's `pull-requests` permission from read to write,
needed for the sticky-comment poster to call the issues API.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -86,24 +86,74 @@ jobs:
   # the changed files. The default `--gate new-only` means existing legacy
   # findings don't fail the build — only NEW issues introduced by the PR do.
   # This stops bleeding while letting incremental cleanup land separately.
+  #
+  # On findings, the job posts (or updates) a sticky comment on the PR so
+  # reviewers see the full list inline instead of digging through CI logs.
   fallow:
     name: Fallow audit
     needs: changes
     if: needs.changes.outputs.code == 'true' && github.event_name == 'pull_request'
     runs-on: ubuntu-latest
     timeout-minutes: 5
+    # Scope write access to this single job — the rest of `ci.yml` keeps the
+    # workflow-level `pull-requests: read` default so build / lint / test
+    # tokens can't post or modify PR comments. Job-level permissions override
+    # the workflow block.
+    permissions:
+      contents: read
+      pull-requests: write
     steps:
       - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
         with:
           # Full history so `--base origin/main` can diff against the merge
           # base on stacked PRs, not just the shallow tip.
           fetch-depth: 0
+      - uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2
       - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
         with:
           node-version: 22
-      # Pinned version — bumps land via a deliberate PR. Keep in sync with
-      # the version that produced the current `.fallowrc.jsonc` config.
-      - run: npx -y fallow@2.75.0 audit --base origin/main --fail-on-issues
+      - run: bun install --frozen-lockfile
+      - name: Run fallow audit
+        id: audit
+        # `bun install` above made `bunx fallow` resolve from node_modules, so
+        # we don't re-download fallow each run. The script disables `errexit`
+        # so the audit's non-zero exit (on findings) doesn't abort before we
+        # write the exit code to the step output. The size check guards
+        # against fallow crashing before producing markdown (e.g. transient
+        # parse failure) — without it we'd post a blank sticky comment.
+        run: |
+          set +e
+          bunx fallow audit --base origin/main --fail-on-issues \
+            --format pr-comment-github \
+            > /tmp/fallow-comment.md
+          echo "exit_code=$?" >> "$GITHUB_OUTPUT"
+          if [ ! -s /tmp/fallow-comment.md ]; then
+            echo "fallow produced no output — see the job logs above." > /tmp/fallow-comment.md
+          fi
+      - name: Post sticky comment (findings)
+        if: steps.audit.outputs.exit_code != '0'
+        # Fork PRs run with a read-only GITHUB_TOKEN regardless of the
+        # workflow's `permissions:` block, so the comment post will fail on
+        # forks. Don't fail the whole job — the audit gate below still fires.
+        continue-on-error: true
+        uses: marocchino/sticky-pull-request-comment@52423e01640425a022ef5fd42c6fb5f633a02728 # v2.9.1
+        with:
+          # `header` matches fallow's built-in `<!-- fallow-id: fallow-results -->`
+          # sentinel so subsequent runs update the same comment.
+          header: fallow-results
+          path: /tmp/fallow-comment.md
+      - name: Remove stale sticky comment (clean run)
+        if: steps.audit.outputs.exit_code == '0'
+        continue-on-error: true
+        uses: marocchino/sticky-pull-request-comment@52423e01640425a022ef5fd42c6fb5f633a02728 # v2.9.1
+        with:
+          header: fallow-results
+          delete: true
+      - name: Fail if audit found issues
+        if: steps.audit.outputs.exit_code != '0'
+        run: |
+          echo "::error::Fallow audit found new issues — see the PR comment above for details."
+          exit 1
 
   format:
     name: Format
