[ty] Ecosystem analyzer PR comment workflow

.github/workflows/ty-ecosystem-analyzer_comment.yaml

@@ -0,0 +1,85 @@
+name: PR comment (ty ecosystem-analyzer)
+
+on: # zizmor: ignore[dangerous-triggers]
+  workflow_run:
+    workflows: [ty ecosystem-analyzer]
+    types: [completed]
+  workflow_dispatch:
+    inputs:
+      workflow_run_id:
+        description: The ty ecosystem-analyzer workflow that triggers the workflow run
+        required: true
+
+jobs:
+  comment:
+    runs-on: ubuntu-24.04
+    permissions:
+      pull-requests: write
+    steps:
+      - uses: dawidd6/action-download-artifact@20319c5641d495c8a52e688b7dc5fada6c3a9fbc # v8
+        name: Download PR number
+        with:
+          name: pr-number
+          run_id: ${{ github.event.workflow_run.id ||  github.event.inputs.workflow_run_id }}
+          if_no_artifact_found: ignore
+          allow_forks: true
+
+      - name: Parse pull request number
+        id: pr-number
+        run: |
+          if [[ -f pr-number ]]
+          then
+            echo "pr-number=$(<pr-number)" >> "$GITHUB_OUTPUT"
+          fi
+
+      - uses: dawidd6/action-download-artifact@20319c5641d495c8a52e688b7dc5fada6c3a9fbc # v8
+        name: "Download comment.md"
+        id: download-comment
+        if: steps.pr-number.outputs.pr-number
+        with:
+          name: comment.md
+          workflow: ty-ecosystem-analyzer.yaml
+          pr: ${{ steps.pr-number.outputs.pr-number }}
+          path: pr/comment
+          workflow_conclusion: completed
+          if_no_artifact_found: ignore
+          allow_forks: true
+
+      - name: Generate comment content
+        id: generate-comment
+        if: ${{ steps.download-comment.outputs.found_artifact == 'true' }}
+        run: |
+          # Guard against malicious ty ecosystem-analyzer results that symlink to a secret
+          # file on this runner
+          if [[ -L pr/comment/comment.md ]]
+          then
+              echo "Error: comment.md cannot be a symlink"
+              exit 1
+          fi
+
+          # Note: this identifier is used to find the comment to update on subsequent runs
+          echo '<!-- generated-comment ty ecosystem-analyzer -->' > comment.md
+          echo >> comment.md
+          cat pr/comment/comment.md >> comment.md
+
+          echo 'comment<<EOF' >> "$GITHUB_OUTPUT"
+          cat comment.md >> "$GITHUB_OUTPUT"
+          echo 'EOF' >> "$GITHUB_OUTPUT"
+
+      - name: Find existing comment
+        uses: peter-evans/find-comment@3eae4d37986fb5a8592848f6a574fdf654e61f9e # v3.1.0
+        if: steps.generate-comment.outcome == 'success'
+        id: find-comment
+        with:
+          issue-number: ${{ steps.pr-number.outputs.pr-number }}
+          comment-author: "github-actions[bot]"
+          body-includes: "<!-- generated-comment ty ecosystem-analyzer -->"
+
+      - name: Create or update comment
+        if: steps.find-comment.outcome == 'success'
+        uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4
+        with:
+          comment-id: ${{ steps.find-comment.outputs.comment-id }}
+          issue-number: ${{ steps.pr-number.outputs.pr-number }}
+          body-path: comment.md
+          edit-mode: replace