Hacker News new | past | comments | ask | show | jobs | submit login
Show HN: Execute any comment from issues and pull requests on GitHub (github.com)
95 points by nwtgck 3 months ago | hide | past | web | favorite | 15 comments

Wonder if this was developed for https://githubhackathon.com/ or not.

This is by far the most interesting Action I've seen yet.

Thanks! OK, I'll submit it.

I submitted it.

This is very useful actually.. I guess it's a stupid question, but is there room for XSS injection then into the actual bot source itself ? Or is that all taken care of already ?

I know you have authorized users and such, but should one get through.

I really like this.

It'd be cool to have this accept comment reactions as extra inputs or controls. Don't run until rocket or run again for thumbsup. :eyes: could be run with verbose output.

I don't have an actual use case for this that I can think of but it is neat!

Nice! One thing actions was missing (at least for me, or I couldn't figure it out) was the ability to run them on-demand/ad hoc.

I'm planning to use this to run a build+release script for a specific issue and reply with a changelog then close the issue/change the status for an open-source project I run.

You could create a workflow that listens for the `repository_dispatch` event, see https://developer.github.com/v3/repos/#create-a-repository-d...


Awesome thanks! The project I run has a lot of emergency updates so this, being able to release simply with a comment referring to a specific issue in context is really helpful. this is how I've set it up:


This is a very cool concept! It would be useful for CLI commands like `npm test someSpecificTest`.

Thanks! You can use shebang. Learn more: https://github.com/nwtgck/actions-comment-run#tips-run-other...

Shameless plug: my Telegram bots that run arbitrary Lua[1] and jq[2] code.

[1]: https://t.me/runluabot

[2]: https://t.me/runjqbot

Next step: setting up email filters for @github-actions and various combinations of things you really don't need to see.

It's cool for sure, but maybe not for things like their big "lgtm" example.

This is awesome!

Aside, does anyone know how to change labels to PRs based on merge status with github actions?

I'm honestly not sure what I'd use this for, but only because I don't use GitHub for much.

The amount of integration is impressive, and I'm actually kinda sad this isn't being more highly voted up.

There's only one feature I think is really missing, and that's stored functions. Right now, I have to insert the full code snippet I want to run every. single. time. For scenarios where I want to modify the code snippet each time, this makes perfect sense, and is a valid first-class use-case that should stick around. But for all the scenarios where I just want to run the same old tidbit of code, I still have to reimport it fresh each time.

A few rambling thoughts/ideas:

- Referencing a Gist (which should only work when the full #gistcomment-... fragment is included)

- Referencing a code snippet in another issue, either by #number or by full URL (which should similarly only work when the full #issuecomment-... fragment is present)

- Referencing a code snippet from an issue in another project

- Allowing for the insertion of a SHA256 hash (either in hexadecimal (aabbccdd) or base64 (AbCd==) format) at the top of script bodies, for use in scenarios where I'd need to provide explicit authorization that I do indeed want to run a script that I didn't post myself

- Referencing a script from a file in my repo

- Referencing a script from a file in someone else's repo

You may ask why I am so insistent on dereferencing. a) it allows me to do magic things by wrangling URLs instead of entire blocks of code, and b) it lets me keep my posts tidy and not full of source code. My own bias strongly suggests to me that adopting a model like this might lead to slightly more widespread success. Your bias may disagree. I don't know what's closer to the truth.

Regarding the SHA idea, the way I concretely imagine this might work is that you'd introduce an alternate, optional block start like "`js SHA256:xxxxxxx", with the hash being applied to everything between the first and last lines (I think you might want to include the trailing newline after the script in the hash input - this will make life easier for those using editors that enforce one trailing newline).

This would indeed introduce massive redundancy - I now have to hash my blocks of code in order for them to run - but it would mean that people looking for code to run could straightforwardly and safely reference random stored functions (via something along the lines of "@github-actions run http://github.com/........ SHA256:XXX") and they'll only be run if the code matches its own checksum _along with_ the checksum in the run link.

I also think that perhaps there might be an explicit "reference" syntax, like "@github-actions ref" or something, for scenarios where the bot would be ignoring the code in question, and only running it when someone references it later. Perhaps in this scenario an alternate header format could be used that doesn't cause the bot to be notified; perhaps this could be as simple as removing the @.

I'm imagining scenarios where issues get created then closed as a stashing ground for code snippets.

GitHub has saved replies so the function is already stored and can be recalled with as little as two clicks

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact