CI: artifact-links workflow supports PR and deploy

[nerdCopter]

This PR updates the artifact-links workflow to comment on both PR and deploy workflows. Purpose: testing proof of concept for improved artifact visibility in CI.

[coderabbitai]

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[nerdCopter]

@coderabbitai, why is the comment not producing both lines specified?

[coderabbitai]

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash

# Check the PR comments to see what's actually being posted
gh pr view 4732 --repo betaflight/betaflight-configurator --comments --json comments | jq -r '.comments[] | select(.author.login == "github-actions") | "\(.author.login): \(.body)\n---"' | head -50

# Also check workflow runs to see if there are any errors
gh run list --repo betaflight/betaflight-configurator --workflow="deploy.yml" --limit 5 --json status,conclusion,event,headBranch,createdAt,url

# Get the latest run details for this PR if available
gh run list --repo betaflight/betaflight-configurator --json databaseId,event,headBranch,status,conclusion,url --limit 20 | jq '.[] | select(.headBranch == "deploy-android-apk")'

Length of output: 1285

---

🏁 Script executed:

#!/bin/bash

# Get the logs from the most recent workflow run for PR 4732
gh run view 20071336293 --repo betaflight/betaflight-configurator --log | grep -A 20 "Add deployment comment"

# Also check the raw job output
gh run view 20071336293 --repo betaflight/betaflight-configurator --log | grep -B 5 -A 15 "Preview URL"

Length of output: 2552

---

🏁 Script executed:

#!/bin/bash

# Check the commit that was used in the workflow run
gh run view 20071336293 --repo betaflight/betaflight-configurator --json headSha,createdAt,event,headBranch

# Check the workflow file content at that commit
COMMIT_SHA=$(gh run view 20071336293 --repo betaflight/betaflight-configurator --json headSha -q '.headSha')
echo "Commit SHA: $COMMIT_SHA"

# Get the PR details to see the head commit
gh pr view 4732 --repo betaflight/betaflight-configurator --json headRefOid,headRefName,commits

# Check if there are more recent runs
gh run list --repo betaflight/betaflight-configurator --workflow="deploy.yml" --limit 10 --json databaseId,headSha,createdAt,status,conclusion,event

Length of output: 5276

---

🏁 Script executed:

#!/bin/bash

# Get the workflow file content at the commit that was run
git fetch origin 20251209_artifacts:20251209_artifacts 2>/dev/null || true
git show 8f2cd5ffa124886bd9b3718eb970259f5a36fbc5:.github/workflows/deploy.yml | tail -20

# Also check the current HEAD of the PR branch
gh api repos/betaflight/betaflight-configurator/contents/.github/workflows/deploy.yml?ref=8f2cd5ffa124886bd9b3718eb970259f5a36fbc5 --jq '.content' | base64 -d | tail -25

Length of output: 2187

---

🌐 Web query:

thollander actions-comment-pull-request multiline message github actions

💡 Result:

Yes — thollander/actions-comment-pull-request supports multiline messages. Use the YAML block scalar (|) for the message or point to a file-path; you can also upsert via comment-tag and set reactions. Example:

• name: Comment PR
  uses: thollander/actions-comment-pull-request@v3
  with:
  message: |
  Hello team!
  - Build: success
  - Coverage: 87%
  See details in the workflow run.
  comment-tag: ci-report

Note: the action needs a token with pull-requests: write permissions (defaults to ${{ github.token }}). See README for file-path, modes (upsert/recreate/delete), reactions, and other inputs. [1]

Sources

• thollander/actions-comment-pull-request README. [1]

---

🏁 Script executed:

#!/bin/bash

# Check if there's an issue with how GitHub Actions handles multiline with expressions
# Let's look at the exact indentation and characters in the file

gh api repos/betaflight/betaflight-configurator/contents/.github/workflows/deploy.yml?ref=8f2cd5ffa124886bd9b3718eb970259f5a36fbc5 --jq '.content' | base64 -d > /tmp/deploy.yml

# Show the exact bytes around the message section
cat /tmp/deploy.yml | grep -A 5 "message:" | tail -6 | cat -A

# Also show line numbers
cat /tmp/deploy.yml | grep -n -A 5 "Add deployment comment" | tail -10

Length of output: 634

---

🌐 Web query:

github actions multiline yaml literal block scalar expression evaluation issue

💡 Result:

Short answer: GitHub Actions evaluates ${{ ... }} expressions during workflow parsing/evaluation (not as part of a YAML multiline literal), so expressions inside a literal block (| or >) are still processed — and if you need the raw text "${{ ... }}" you must escape it or construct it using an expression. See GitHub's docs on expressions and the community thread about escaping. [1][2]

Key points and workarounds

• Expressions are evaluated with the ${ { ... } } syntax; they aren't inert just because they're inside a YAML literal block. Use the docs for rules and literal-string behavior. [1]
• To output a literal "${{...}}" (prevent evaluation), build it with an expression that returns that string (escape single quotes), e.g. ${{ 'echo ''${{VAR}}''' }} (example from GitHub community). [2]
• If you need multiline content that must include unevaluated ${ { ... } } tokens, generate it at run-time (echo/printf into a file inside a run step) or put the content into an external file/artifact and read it during the job. These avoid YAML-expression parsing altogether.
• Note: some fields disallow expressions entirely (e.g., steps.uses), so ensure your use-site supports expressions. [3]

Sources

1. GitHub Docs — Evaluate expressions in workflows and actions. [link]. [1]
2. GitHub Community discussion “Escaping ${{ }} in workflows” (example escape technique). [link]. [2]
3. GH-lint / docs noting contexts that forbid expressions (e.g., uses). [link]. [3]

Would you like an example workflow showing both the escape technique and a run-time generation workaround?

---

🏁 Script executed:

#!/bin/bash

# Let's check the actual workflow run logs more carefully to see if there's an error
gh run view 20071336293 --repo betaflight/betaflight-configurator --log | grep -B 10 -A 30 "Add deployment comment" | head -50

# Also let's see if any of the expressions might be evaluating to something unexpected
gh run view 20071336293 --repo betaflight/betaflight-configurator --log | grep -E "(github.server_url|github.repository|github.run_id)"

Length of output: 2059

---

🏁 Script executed:

#!/bin/bash

# Let's create a test to see what these GitHub context variables should evaluate to
# Check if there's any warning or error in the full logs
gh run view 20071336293 --repo betaflight/betaflight-configurator --log-failed

# Get the full log output for the deploy job
gh run view 20071336293 --repo betaflight/betaflight-configurator --log | grep -E "(github\.|Error|Warning)" | grep -i "deploy"

# Check what the github.server_url, github.repository, and github.run_id should be
echo "Expected values:"
echo "github.server_url: https://github.com"
echo "github.repository: betaflight/betaflight-configurator"  
echo "github.run_id: 20071336293"
echo ""
echo "Expected URL: https://github.com/betaflight/betaflight-configurator/actions/runs/20071336293"

Length of output: 961

---

@nerdCopter, I found the issue! The workflow logs show that GitHub Actions is only receiving the first line of the message:

with:
  message: Preview URL: https://pr4732.betaflight-app-preview.pages.dev
  
  comment-tag: Preview URL

The second line with the Android APK link is being lost during GitHub Actions' YAML parsing and expression evaluation phase—before the action even receives it. This is a known limitation when using multiple ${{ }} expressions inside YAML multiline blocks (the | literal block scalar).

Workarounds:

1. Use explicit \n for newlines (recommended):

message: "Preview URL: ${{ steps.deploy.outputs.pages-deployment-alias-url }}\nAndroid APK: [Download from artifacts](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }})"

2. Set the message in an environment variable first:

- name: Prepare comment message
  run: |
    echo "COMMENT_MSG<<EOF" >> $GITHUB_ENV
    echo "Preview URL: ${{ steps.deploy.outputs.pages-deployment-alias-url }}" >> $GITHUB_ENV
    echo "Android APK: [Download from artifacts](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }})" >> $GITHUB_ENV
    echo "EOF" >> $GITHUB_ENV

- name: Add deployment comment
  uses: thollander/[email protected]
  with:
    message: ${{ env.COMMENT_MSG }}
    comment-tag: 'Preview URL'
    mode: recreate

3. Use a file (via the file-path input that the action supports).

The first option is the simplest and should work immediately.

[nerdCopter]

@coderabbitai, i changed it to

      - name: Add deployment comment
        if: github.event_name == 'pull_request_target' || github.event_name == 'pull_request'
        uses: actions/github-script@v7
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}
          script: |
            const previewUrl = '${{ steps.deploy.outputs.pages-deployment-alias-url }}';
            const apkUrl = '${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}';
            const message = `Preview URL: ${previewUrl}\nAndroid APK: [Download from artifacts](${apkUrl})`;
            
            github.rest.issues.createComment({
              issue_number: context.issue.number,
              owner: context.repo.owner,
              repo: context.repo.repo,
              body: message
            });

but the old method is still being used:

why?

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Find all workflow files that might be related to artifact-links or deployment comments
echo "=== Finding workflow files ==="
fd -e yml -e yaml . .github/workflows

echo -e "\n=== Searching for workflow files with artifact-links or deployment comments ==="
rg -l "artifact-links|deployment.*comment|createComment" .github/workflows/

echo -e "\n=== Examining artifact-links workflow file ==="
fd "artifact-links" .github/workflows --exec cat {}

echo -e "\n=== Searching for all createComment usage in workflows ==="
rg -A 5 -B 5 "createComment" .github/workflows/

Length of output: 2750

---

🏁 Script executed:

#!/bin/bash
# Check the current git branch and recent commits to workflow files
echo "=== Current branch ==="
git branch --show-current

echo -e "\n=== Recent commits affecting workflow files ==="
git log --oneline -10 --all -- .github/workflows/

echo -e "\n=== Checking diff of workflow files in this PR ==="
git diff origin/master...HEAD -- .github/workflows/ || git diff master...HEAD -- .github/workflows/

Length of output: 895

---

🏁 Script executed:

#!/bin/bash
# Get the full deploy.yml file to understand the workflow structure
echo "=== Full deploy.yml workflow ==="
cat .github/workflows/deploy.yml

echo -e "\n=== Checking workflow_run triggers in artifact-links.yml ==="
cat .github/workflows/artifact-links.yml

Length of output: 6250

---

@nerdCopter, I found the issue! You have two separate workflows creating artifact link comments:

1. deploy.yml - Contains your NEW code with actions/github-script (this is working correctly)
2. artifact-links.yml - Still using the OLD method with tonyhallett/[email protected]

Here's what's happening:

The artifact-links.yml workflow triggers automatically after your deploy.yml workflow completes (via workflow_run):

# artifact-links.yml
on:
  workflow_run:
    workflows: ["PR", "Deployment (PR and Push)"]  # <- Triggers after deploy.yml
    types: [completed]

So you're seeing the old format because both workflows are creating comments - your new one from deploy.yml AND the old one from artifact-links.yml.

Solution: You need to either:

1. Delete or disable .github/workflows/artifact-links.yml (recommended if you want to use only the new method)
2. Or remove the "Add deployment comment" step from deploy.yml if you want to keep using artifact-links.yml

Based on the PR objectives (testing a new approach for artifact visibility), I recommend option 1 - removing or disabling the artifact-links.yml workflow so only your new comment creation method runs.

You might also want to update .github/workflows/hide-artifact-links.yml which is currently configured to hide comments starting with "Preview URL:" - that matches your new format, so that should continue working correctly.

[nerdCopter]

@coderabbitai, df2cd70 removes the old method, but the action is still being processed. why? does it REQUIRE merging?
i have personally performed CI modification before and the PR changes usually propagate and process correct unless it is a new file which is not the case here.

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check what was changed in commit df2cd704
echo "=== Changes in commit df2cd704 ==="
git show df2cd704 --name-status

echo -e "\n=== Detailed diff for workflow files ==="
git show df2cd704 -- .github/workflows/

echo -e "\n=== Check if artifact-links.yml exists in current PR branch ==="
ls -la .github/workflows/artifact-links.yml 2>&1 || echo "File does not exist in PR branch"

echo -e "\n=== Check if artifact-links.yml exists in master branch ==="
git show origin/master:.github/workflows/artifact-links.yml > /dev/null 2>&1 && echo "File EXISTS in master branch" || echo "File does not exist in master branch"

Length of output: 2106

---

@nerdCopter, yes, it REQUIRES merging in this specific case! Here's why:

Your deletion in commit df2cd70 is correct - the file is gone from your PR branch. However, artifact-links.yml uses a workflow_run trigger, which is a special case:

on:
  workflow_run:
    workflows: ["PR", "Deployment (PR and Push)"]
    types: [completed]

Key difference: Workflows triggered by workflow_run always execute from the DEFAULT branch (master), NOT from the PR branch. This is a GitHub Actions security feature to prevent malicious PRs from modifying workflows that have repository write access.

Here's what's happening:

• ✅ Your PR deleted artifact-links.yml from the PR branch
• ❌ But the file still exists in master branch (confirmed by the script)
• 🔄 When deploy.yml completes, GitHub looks at master branch for artifact-links.yml → finds it → runs it

Why your previous CI modifications worked differently:

Your previous modifications likely used triggers like:

• pull_request / pull_request_target - use PR branch workflow
• push - uses pushed branch workflow

But workflow_run is an exception - it's always sourced from the default branch.

Solution: Merge this PR to master, then the workflow will stop running because the file won't exist in the default branch anymore.

---

🧠 Learnings used

Learnt from: syahmizul
Repo: betaflight/betaflight-configurator PR: 0
File: :0-0
Timestamp: 2025-06-19T12:33:54.180Z
Learning: When reviewing PRs, always check git diff to distinguish between newly added code and existing codebase before flagging issues. Use commands like `git diff origin/master -- filename` to see actual changes introduced by the PR.

[nerdCopter]

Tip

For best results, initiate chat on the files or code changes.
🧩 Analysis chain

@nerdCopter, yes, it REQUIRES merging in this specific case! Here's why:

Your deletion in commit df2cd70 is correct - the file is gone from your PR branch. However, artifact-links.yml uses a workflow_run trigger, which is a special case:

on:
  workflow_run:
    workflows: ["PR", "Deployment (PR and Push)"]
    types: [completed]

Key difference: Workflows triggered by workflow_run always execute from the DEFAULT branch (master), NOT from the PR branch. This is a GitHub Actions security feature to prevent malicious PRs from modifying workflows that have repository write access.

Here's what's happening:

* ✅ Your PR deleted `artifact-links.yml` from the PR branch

* ❌ But the file still exists in `master` branch (confirmed by the script)

* 🔄 When `deploy.yml` completes, GitHub looks at **master branch** for `artifact-links.yml` → finds it → runs it

Why your previous CI modifications worked differently:

Your previous modifications likely used triggers like:

* `pull_request` / `pull_request_target` - use PR branch workflow

* `push` - uses pushed branch workflow

But workflow_run is an exception - it's always sourced from the default branch.

Solution: Merge this PR to master, then the workflow will stop running because the file won't exist in the default branch anymore.
🧠 Learnings used

@coderabbitai, but i disabled the offending artifact-links.yml so it should not trigger, yet deploy.yml still processed thollander/actions-comment-pull-request@v3 rahter than the new actions/github-script@v7.

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check the current state of deploy.yml in the PR branch
echo "=== Current deploy.yml content ==="
cat .github/workflows/deploy.yml

echo -e "\n=== Searching for all thollander/actions-comment-pull-request usage ==="
rg -n "thollander/actions-comment-pull-request" .github/workflows/deploy.yml

echo -e "\n=== Searching for all actions/github-script usage ==="
rg -n "actions/github-script" .github/workflows/deploy.yml

echo -e "\n=== Check recent commits to deploy.yml ==="
git log --oneline -10 -- .github/workflows/deploy.yml

echo -e "\n=== Show the most recent change to deploy.yml ==="
git log -1 -p -- .github/workflows/deploy.yml

Length of output: 8204

---

@nerdCopter, I found the issue! The exact same problem applies to deploy.yml because it uses the pull_request_target trigger:

on:
  pull_request_target:
    types: [opened, synchronize, reopened]

pull_request_target is a security feature that runs workflows from the BASE branch (master), NOT the PR branch. This prevents malicious PRs from modifying workflows that have access to secrets and write permissions.

Here's what's happening:

• ✅ Your PR branch (commit b344a25) correctly has actions/github-script@v7
• ❌ But the workflow executes from the master branch, which still has thollander/actions-comment-pull-request@v3
• 🔒 This is by design - pull_request_target gives the workflow access to secrets and write permissions, so it must run trusted code from the base branch

This is why you need pull_request_target in the first place - your workflow needs:

• Access to CLOUDFLARE_API_TOKEN and other secrets for deployment
• Write permissions to create comments on the PR

But the tradeoff is that workflow changes won't take effect until merged to master.

Solution: Same as before - merge this PR to master, then subsequent PRs will use the new actions/github-script@v7 method.

Why your previous CI modifications worked: If they used regular pull_request trigger (not pull_request_target), those run from the PR branch and take effect immediately. But you couldn't use that here because you need secrets access.

[nerdCopter]

looks like mere mortals cannot finish resolution and requires BF Admin to finalize. @blckmn

goal: android APK in the comment in addition to the Preview URL. Requested by @haslinghuis

[haslinghuis]

@nerdCopter according to previous comment

• it needs to be merged before being activated
• as it runs on master branch.

This makes it hard to test outcome.

[blckmn]

Ends with has to be corrected

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[github-actions]

Preview URL: https://pr4732.betaflight-app-preview.pages.dev

[blckmn]

Is this still draft or ready?

[haslinghuis]

@blckmn we both tried to add the APK artifact to be published on the PR, but failed so far.

[blckmn]

Closing this one as we have it now working :)