Use a safer way for posting comments on CI

.github/workflows/check-binary-size.yml

@@ -1,11 +1,11 @@
 # This workflow checks if a PR commit has changed the size of a hello world Rust program.
 # It downloads Rustc and compiles two versions of a stage0 compiler - one using the base commit
 # of the PR, and one using the latest commit in the PR.
-# If the size of the hello world program has changed, it posts a comment to the PR.
+# It then uploads the two built binaries as artifacts.
 name: Check binary size
 
 on:
-  pull_request_target:
+  pull_request:
     branches:
       - master
 
@@ -28,7 +28,9 @@ jobs:
       - name: Fetch backtrace
         run: git submodule update --init library/backtrace
       - name: Create hello world program that uses backtrace
-        run: printf "fn main() { panic!(); }" > foo.rs
+        run: |
+          printf "fn main() { panic!(); }" > foo.rs
+          mkdir -p binaries
       - name: Build binary with base version of backtrace
         run: |
           printf "[llvm]\ndownload-ci-llvm = true\n\n[rust]\nincremental = false\n" > config.toml
@@ -41,7 +43,7 @@ jobs:
           python3 x.py build library --stage 0
           cp -r ./build/x86_64-unknown-linux-gnu/stage0/bin ./build/x86_64-unknown-linux-gnu/stage0-sysroot/bin
           cp -r ./build/x86_64-unknown-linux-gnu/stage0/lib/*.so ./build/x86_64-unknown-linux-gnu/stage0-sysroot/lib
-          ./build/x86_64-unknown-linux-gnu/stage0-sysroot/bin/rustc -O foo.rs -o binary-reference
+          ./build/x86_64-unknown-linux-gnu/stage0-sysroot/bin/rustc -O foo.rs -o binaries/binary-reference
       - name: Build binary with PR version of backtrace
         run: |
           cd library/backtrace
@@ -52,36 +54,10 @@ jobs:
           python3 x.py build library --stage 0
           cp -r ./build/x86_64-unknown-linux-gnu/stage0/bin ./build/x86_64-unknown-linux-gnu/stage0-sysroot/bin
           cp -r ./build/x86_64-unknown-linux-gnu/stage0/lib/*.so ./build/x86_64-unknown-linux-gnu/stage0-sysroot/lib
-          ./build/x86_64-unknown-linux-gnu/stage0-sysroot/bin/rustc -O foo.rs -o binary-updated
-      - name: Display binary size
-        run: |
-          ls -la binary-*
-          echo "SIZE_REFERENCE=$(stat -c '%s' binary-reference)" >> "$GITHUB_ENV"
-          echo "SIZE_UPDATED=$(stat -c '%s' binary-updated)" >> "$GITHUB_ENV"
-      - name: Post a PR comment if the size has changed
-        uses: actions/github-script@v6
+          ./build/x86_64-unknown-linux-gnu/stage0-sysroot/bin/rustc -O foo.rs -o binaries/binary-updated
+      - name: Upload binaries
+        uses: actions/upload-artifact@v3
         with:
-          script: |
-            const reference = process.env.SIZE_REFERENCE;
-            const updated = process.env.SIZE_UPDATED;
-            const diff = updated - reference;
-            const plus = diff > 0 ? "+" : "";
-            const diff_str = `${plus}${diff}B`;
-
-            if (diff !== 0) {
-              const percent = (((updated / reference) - 1) * 100).toFixed(2);
-              // The body is created here and wrapped so "weirdly" to avoid whitespace at the start of the lines,
-              // which is interpreted as a code block by Markdown.
-              const body = `Below is the size of a hello-world Rust program linked with libstd with backtrace.
-
-            Original binary size: **${reference}B**
-            Updated binary size: **${updated}B**
-            Difference: **${diff_str}** (${percent}%)`;
-
-              github.rest.issues.createComment({
-                issue_number: context.issue.number,
-                owner: context.repo.owner,
-                repo: context.repo.repo,
-                body
-              })
-            }
+          name: binaries
+          path: binaries/
+# FOO

.github/workflows/post-binary-size.yml

@@ -0,0 +1,24 @@
+# This workflow posts a comment after the Check binary size workflow finishes.
+# It is in a separate workflow to avoid running untrusted code with elevated permissions in the
+# Check binary size workflow
+name: Post binary size
+
+on:
+  workflow_run:
+    workflows: [Check binary size]
+    types:
+      - completed
+
+jobs:
+  post:
+    name: Post binary size
+    runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
+    steps:
+      - name: Download artifact
+        id: download-artifact
+        uses: dawidd6/action-download-artifact@v2
+        with:
+          run_id: ${{ github.event.workflow_run.id }}
+      - run: ls