Bugfix FXIOS-13835 Fix Github workflow errors on forks

[mattreaganmozilla]

📜 Tickets

Jira ticket

💡 Description

Fix error on forks, move workflow trigger to main.

📝 Checklist

• I filled in the ticket numbers and a description of my work
• I updated the PR name to follow our PR naming guidelines
• I ensured unit tests pass and wrote tests for new code
• If working on UI, I checked and implemented accessibility (Dynamic Text and VoiceOver)
• If adding telemetry, I read the data stewardship requirements and will request a data review
• If adding or modifying strings, I read the guidelines and will request a string review from l10n
• If needed, I updated documentation and added comments to complex code

[mattreaganmozilla]

+cc @janbrasna

[mobiletest-ci-bot]

🧹 Tidy commit

Just 1 file(s) touched. Thanks for keeping it clean and review-friendly!

✅ Per-file coverage

All changed files meet the threshold of 35.0%.

Generated by 🚫 Danger Swift against d75292f

[issammani]

@mattreaganmozilla since we almost never push directly to main and changes always come from merged PRs, wouldn't it be easier to listen for push on main ? Then we won't have the problem of having to check all the base refs and for forks since we are guaranteed to always run from our repo's scope . I think we can get the PR number from a merged commit by using something like this:

gh pr list --search "${{ github.sha }}" --state merged --json number --jq '.[0].number'

[mattreaganmozilla]

@issammani I think I understand what you're suggesting but this is slightly outside my wheelhouse, I'm not well-versed with Github Actions. Does this (below) look more like what you had in mind? +cc @janbrasna Maybe you can also chime in with thoughts/feedback.

name: Comment App Version on Merged PR

on:
  push:
    branches:
      - main

jobs:
  comment-version:
    runs-on: ubuntu-latest

    steps:
      - name: Check out main
        uses: actions/checkout@v4

      - name: Read version.txt
        id: get_version
        run: echo "version=$(cat version.txt)" >> $GITHUB_OUTPUT

      - name: Get PR number for this merge commit
        id: get_pr
        run: |
          pr_number=$(gh pr list --search "${{ github.sha }}" --state merged --json number --jq '.[0].number')
          if [ -z "$pr_number" ]; then
            echo "No merged PR found for commit ${{ github.sha }}. Likely a direct push to main. Skipping comment."
          fi
          echo "pr_number=$pr_number" >> $GITHUB_OUTPUT
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

      - name: Comment on PR
        if: steps.get_pr.outputs.pr_number != ''
        uses: peter-evans/create-or-update-comment@v4
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
          issue-number: ${{ steps.get_pr.outputs.pr_number }}
          body: |
            🚀 PR merged to `main`, targeting version: `${{ steps.get_version.outputs.version }}`

[issammani]

• name: Get PR number for this merge commit
  id: get_pr
  run: |
  pr_number=$(gh pr list --search "${{ github.sha }}" --state merged --json number --jq '.[0].number')
  if [ -z "$pr_number" ]; then
  echo "No merged PR found for commit ${{ github.sha }}. Likely a direct push to main. Skipping comment."
  fi
  echo "pr_number=$pr_number" >> $GITHUB_OUTPUT
  env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

@mattreaganmozilla exactly. This looks good to me.

[mattreaganmozilla]

I've updated the yml per the above discussion. @janbrasna Can you please LMK if you have any objections or concerns with this approach? Thank you all

[janbrasna]

Oh go for it! From security standpoint it's better to run privileged defaults off of main push (=trusted actor) than working around pr triggers with varying scopes still running just on the merge head even after merging;) — I'm not familiar with the search params if they also include the squashed commit as "pull requests that contain that SHA" but that's normal with GH docs;D YOLO and see how that works.

(I might have naïve questions about some of the empty value conditions, passing the token, or if the gh cli automatically filters the interaction to the repo running it by default, but that's not important if this works as is, I can see about the defaults and implicit scopes later.)

But this seems indeed solid:

$ gh pr list --search "29c019c" --state merged --repo mozilla-mobile/firefox-ios

Showing 1 of 1 pull request in mozilla-mobile/firefox-ios that matches your search

ID      TITLE                       BRANCH                      CREATED AT      
#29987  Add FXIOS-13840 [Trendi...  cc/FXIOS-13840_add-debu...  about 1 hour ago

🚀

[mattreaganmozilla]

@mozilla-mobile/fxios-automation @clarmso Can we please get a review of this? Thank you 🙏

[github-actions]

🚀 PR merged to main, targeting version: 144.2