
Show HN: Execute any comment from issues and pull requests on GitHub - nwtgck
https://github.com/nwtgck/actions-comment-run
======
robrtsql
Wonder if this was developed for
[https://githubhackathon.com/](https://githubhackathon.com/) or not.

This is by far the most interesting Action I've seen yet.

~~~
nwtgck
Thanks! OK, I'll submit it.

~~~
nwtgck
I submitted it.

------
bilekas
This is very useful actually.. I guess it's a stupid question, but is there
room for XSS injection then into the actual bot source itself ? Or is that all
taken care of already ?

I know you have authorized users and such, but should one get through.

I really like this.

------
harrisonjackson
It'd be cool to have this accept comment reactions as extra inputs or
controls. Don't run until rocket or run again for thumbsup. :eyes: could be
run with verbose output.

I don't have an actual use case for this that I can think of but it is neat!

------
smashah
Nice! One thing actions was missing (at least for me, or I couldn't figure it
out) was the ability to run them on-demand/ad hoc.

I'm planning to use this to run a build+release script for a specific issue
and reply with a changelog then close the issue/change the status for an open-
source project I run.

~~~
anthonysterling
You could create a workflow that listens for the `repository_dispatch` event,
see [https://developer.github.com/v3/repos/#create-a-
repository-d...](https://developer.github.com/v3/repos/#create-a-repository-
dispatch-event)

:)

~~~
smashah
Awesome thanks! The project I run has a lot of emergency updates so this,
being able to release simply with a comment referring to a specific issue in
context is really helpful. this is how I've set it up:

[https://github.com/smashah/sulla/issues/197](https://github.com/smashah/sulla/issues/197)

------
jonperl
This is a very cool concept! It would be useful for CLI commands like `npm
test someSpecificTest`.

~~~
nwtgck
Thanks! You can use shebang. Learn more: [https://github.com/nwtgck/actions-
comment-run#tips-run-other...](https://github.com/nwtgck/actions-comment-
run#tips-run-other-languages)

------
fiatjaf
Shameless plug: my Telegram bots that run arbitrary Lua[1] and jq[2] code.

[1]: [https://t.me/runluabot](https://t.me/runluabot)

[2]: [https://t.me/runjqbot](https://t.me/runjqbot)

------
meeebooo
Next step: setting up email filters for @github-actions and various
combinations of things you really don't need to see.

It's cool for sure, but maybe not for things like their big "lgtm" example.

------
skiman10
This is awesome!

Aside, does anyone know how to change labels to PRs based on merge status with
github actions?

------
exikyut
I'm honestly not sure what I'd use this for, but only because I don't use
GitHub for much.

The amount of integration is impressive, and I'm actually kinda sad this isn't
being more highly voted up.

There's only one feature I think is really missing, and that's stored
functions. Right now, I have to insert the full code snippet I want to run
every. single. time. For scenarios where I want to modify the code snippet
each time, this makes perfect sense, and is a valid first-class use-case that
should stick around. But for all the scenarios where I just want to run the
same old tidbit of code, I still have to reimport it fresh each time.

A few rambling thoughts/ideas:

\- Referencing a Gist (which should only work when the full #gistcomment-...
fragment is included)

\- Referencing a code snippet in another issue, either by #number or by full
URL (which should similarly only work when the full #issuecomment-... fragment
is present)

\- Referencing a code snippet _from an issue in another project_

\- Allowing for the insertion of a SHA256 hash (either in hexadecimal
(aabbccdd) or base64 (AbCd==) format) at the top of script bodies, for use in
scenarios where I'd need to provide explicit authorization that I do indeed
want to run a script that I didn't post myself

\- Referencing a script from a file in my repo

\- Referencing a script from a file in someone else's repo

You may ask why I am so insistent on dereferencing. a) it allows me to do
magic things by wrangling URLs instead of entire blocks of code, and b) it
lets me keep my posts tidy and not full of source code. My own bias strongly
suggests to me that adopting a model like this might lead to slightly more
widespread success. Your bias may disagree. I don't know what's closer to the
truth.

Regarding the SHA idea, the way I concretely imagine this might work is that
you'd introduce an alternate, optional block start like "`js SHA256:xxxxxxx",
with the hash being applied to everything between the first and last lines (I
think you might want to include the trailing newline after the script in the
hash input - this will make life easier for those using editors that enforce
one trailing newline).

This would indeed introduce massive redundancy - I now have to hash my blocks
of code in order for them to run - but it would mean that people looking for
code to run could straightforwardly and safely reference random stored
functions (via something along the lines of "@github-actions run
[http://github.com/.......](http://github.com/.......). SHA256:XXX") and
they'll only be run if the code matches its own checksum _along with_ the
checksum in the run link.

I also think that perhaps there might be an explicit "reference" syntax, like
"@github-actions ref" or something, for scenarios where the bot would be
ignoring the code in question, and only running it when someone references it
later. Perhaps in this scenario an alternate header format could be used that
doesn't cause the bot to be notified; perhaps this could be as simple as
removing the @.

I'm imagining scenarios where issues get created then closed as a stashing
ground for code snippets.

~~~
o-__-o
GitHub has saved replies so the function is already stored and can be recalled
with as little as two clicks

