Support reporting status checks and comments from PR rules

[krrish175-byte]

Summary

This pull request implements the enhancement requested in Issue #5977, allowing generic PR rules (e.g., Rego rules) to report status checks and leave PR comments natively without relying on custom Go evaluation engines like vulncheck.

Changes included:

• Protobuf (minder.proto):
  • Added commit_status as an available Alert type.
  • Added pull_request_comment as an available Remediate type.
• Alert Engine: Created a new commit_status action under internal/engine/actions/alert/commit_status which interfaces with the GitHub SetCommitStatus API to surface a success/failure check run directly on the PR.
• Remediate Engine: Linked the existing pull_request_comment alert module into the Remediate registry so it can be utilized in the remediation phase without duplicating logic.

Fixes #5977

Testing

Outline how the changes were tested, including steps to reproduce and any relevant configurations.

• Implemented full unit test coverage for the new commit_status action (commit_status_test.go) utilizing mockghclient.
• Verified that pull_request_comment correctly registers inside the Remediator engine.
• Ran make buf-generate to ensure all generated protobuf Go bindings are clean and up to date.
• Ran go test ./... across the entire internal/engine/actions/... package, with all tests passing successfully.

[coveralls]

coverage: 58.45% (+0.2%) from 58.298% — krrish175-byte:fix/issue-5977 into mindersec:main

[evankanderson]

You'll need to sync your proto changes with main and re-run make gen -- there were some fields added to the proto in another PR.

[evankanderson]

Very nice work, though we may want to consider adding either target_url or description as fields from the proto message, possibly with Go templating for the latter, and RFC6570 templates for the URL.

With respect to the target_url, I'm also trying to figure out whether we should offer some sort of "Rule Status URL" endpoint that could be auto-filled based on server-known parameters. We'd also need to figure out permissions on that endpoint, which is a separate work track. For now, I'd simply allow users to template their own URL, and we can add a separate automagic_url option (bool) in the future that's exclusive with the detail_url on the commit status message.

[evankanderson]

Try pulling the AlertTypePRComment message out of the Alert message, and see whether buf flags that as a breaking change. We had some early use of nested messages that went a bit overboard for these use cases.

Also, if we are going to add PR comments as a remediation type, it would be good to understand (document) in an issue or the PR description when people should use the "remediate" vs "alert" type. A few options:

1. We'll automatically convert "alert: pr_comment" to "remediate: pr_comment"
   • What happens to people who have policies remediation enabled but not alerting, or vice-versa?
2. We'll support all options on both types
   • how do we explain the differences to people?
3. We'll have different options on the two types -- e.g. only remediate can block PR merges
   • Should this be a separate type then?

I'm not trying to be a pain, but it's a lot easier to jump into a mess than to get ourselves back out. 😁

[evankanderson]

We probably should have included a comment here about which types correspond to which entities as well.

[evankanderson]

What is this / what is it used for?

[evankanderson]

Ooof, this is a cleanup opportunity. The Security Alerts feature is GitHub specific, but it should be implemented as a Provider API such that we can do the equivalent GitLab, Forgejo, etc operation. Commit Statuses should be handled similarly, though probably as a different "facet", so a provider could implement one but not the other.

Given the other set of changes here, I think filing an issue to track this in a future PR is the right step.

[evankanderson]

Let's file this issue before we submit the PR, so we don't forget about it.

[evankanderson]

Oh, this is interesting! I would have expected the name of the status check to be in the rule definition. You may also want to distinguish between rule type and rule name (our nomenclature here isn't always consistent, you basically have several "name-like" things:

1. The name field from the profile, if set. If not set, I think there's some defaulting here from either 3 or 2, and I don't recall the exact rules
2. The type field from the profile, which matches the name from the ruletype
3. The display_name from the ruletype

[evankanderson]

While setting up testing for another PR, I realized that we may also need to change the GitHub App recommended permissions to allow updating status checks.

You also have some lint errors that might be fixed by make lint-fix, or might need to be handled by hand.

[krrish175-byte]

Good catch on both fronts.

Lint errors: I will run make lint-fix and address any remaining issues manually in an upcoming push.

GitHub App permissions: That makes sense, we would need statuses: write for the commit status API calls. I will file a separate issue to track the permissions update so it doesn't block this PR.

[evankanderson]

Looking a little bit more deeply, I'm wondering if we should be using "Check Runs" instead of "Status Checks":

https://stackoverflow.com/questions/67919168/github-checks-api-vs-check-runs-vs-check-suites

Pros of Status Check

• Simpler GitHub API
• Works with other types of tokens than GitHub App

Pros of Check Runs

• Automatic grouping under the GitHub App (e.g. "minder")
• Ability to add line-by-line annotations
• Detail page with markdown, and summary images in addition to URL

[evankanderson]

I think pull_request opens a new PR on the repo, so it applies to the "repository" type, not the "pull_request" type.

[evankanderson]

This is probably not right -- I'm assuming this was in hopes of fixing some of the security warnings?

[evankanderson]

Let's file this issue before we submit the PR, so we don't forget about it.

[evankanderson]

How would this be used / what does it show up as?

[evankanderson]

With Go 1.22 and later, you can use cmp.Or for some of this:

Suggested change

	contextStr := "minder"
	contextNameTmpl := alert.alertCfg.GetStatusName()
	if contextNameTmpl != "" {
	// No templating specified for status_name, use as-is
	contextStr = contextNameTmpl
	} else if tmplParams.RuleName != "" {
	contextStr = fmt.Sprintf("minder/%s", tmplParams.RuleName)
	}
	result.Context = contextStr
	contextStr := "minder"
	if tmplParams.RuleName != "" {
	contextStr = fmt.Sprintf("%s/%s", contextStr, tmplParams.RuleName)
	}
	result.Context = cmp.Or(alert.alertCfg.GetStatusName(), contextStr)

[evankanderson]

Can "description" be HTML content? (I don't know, but the GitHub API doesn't say anything about HTML: https://docs.github.com/en/rest/commits/statuses?apiVersion=2026-03-10#create-a-commit-status)

[evankanderson]

Extract the 1024 to a const parameter

[evankanderson]

This feels like it should include output, so you could have a rule that pokes some external system, gets back a URL for the status check, and then loads that URL into the status check.

[evankanderson]

Sorry for jumping around a bit on the status checks; I threw it out there as something which had been previously discussed, but I hadn't actually researched it until after you sent your PR, so I didn't really have any sort of design in mind.

[evankanderson]

Also, it would be good to update https://github.com/mindersec/minder/blob/main/docs/docs/run_minder_server/config_provider.md alongside any changes to necessary GitHub app permissions, since they are in the same repo.

[evankanderson]

I'm marking this PR as "request changes" (needs merge conflicts resolved) to help track which outstanding PRs need maintainer action vs contributor action.

[github-actions]

This PR needs additional information before we can continue. It is now marked as stale because it has been open for 30 days with no activity. Please provide the necessary details to continue or it will be closed in 30 days.