fix: fix multiple validation comment for each new commit on the branch

.github/scripts/validate_results.py

@@ -136,6 +136,10 @@ def validate_test(
 # ---------------------------------------------------------------------------
 
 
+# Unique marker so the workflow can find & update this comment
+COMMENT_MARKER = "<!-- integration-test-validation-report -->"
+
+
 def generate_report(
     expected_results: dict,
     conclusions: dict[str, str],
@@ -144,7 +148,7 @@ def generate_report(
     all_errors: dict[str, list[str]],
 ) -> str:
     """Generate a markdown report summarising validation results."""
-    lines: list[str] = []
+    lines: list[str] = [COMMENT_MARKER, ""]
     total_pass = sum(1 for errs in all_errors.values() if not errs)
     total_fail = sum(1 for errs in all_errors.values() if errs)
     total_missing = EXPECTED_COUNT - len(conclusions)
@@ -242,6 +246,12 @@ def main() -> int:
         pip_audit_path = artifact_dir / "pip-audit-report.json"
         if pip_audit_path.exists():
             pip_audit_findings = parse_pip_audit(pip_audit_path)
+        else:
+            # Artifact upload uses least common ancestor, so the file may be nested
+            # e.g. artifacts/security-audit-08/08-poetry-src-both/pip-audit-report.json
+            nested = next(artifact_dir.rglob("pip-audit-report.json"), None)
+            if nested:
+                pip_audit_findings = parse_pip_audit(nested)
 
         all_bandit[num] = bandit_findings
         all_pip_audit[num] = pip_audit_findings

.github/workflows/01-requirements-flat.yml

@@ -16,7 +16,7 @@ jobs:
           persist-credentials: false
 
       - name: Run security audit
-        uses: lhoupert/action-python-security-auditing@674cb7133ca058d128f654c427add27f8a1df83b # v0.4.2
+        uses: lhoupert/action-python-security-auditing@6791db45b1aea51db705d38978ad62b855b34b32 # v0.4.3
         with:
           working_directory: 01-requirements-flat
           package_manager: requirements

.github/workflows/02-requirements-src-bandit.yml

@@ -16,7 +16,7 @@ jobs:
           persist-credentials: false
 
       - name: Run security audit
-        uses: lhoupert/action-python-security-auditing@674cb7133ca058d128f654c427add27f8a1df83b # v0.4.2
+        uses: lhoupert/action-python-security-auditing@6791db45b1aea51db705d38978ad62b855b34b32 # v0.4.3
         with:
           working_directory: 02-requirements-src-bandit
           package_manager: requirements

.github/workflows/03-requirements-multi-both.yml

@@ -16,7 +16,7 @@ jobs:
           persist-credentials: false
 
       - name: Run security audit
-        uses: lhoupert/action-python-security-auditing@674cb7133ca058d128f654c427add27f8a1df83b # v0.4.2
+        uses: lhoupert/action-python-security-auditing@6791db45b1aea51db705d38978ad62b855b34b32 # v0.4.3
         with:
           working_directory: 03-requirements-multi-both
           package_manager: requirements

.github/workflows/04-uv-flat.yml

@@ -22,7 +22,7 @@ jobs:
         run: uv lock
 
       - name: Run security audit
-        uses: lhoupert/action-python-security-auditing@674cb7133ca058d128f654c427add27f8a1df83b # v0.4.2
+        uses: lhoupert/action-python-security-auditing@6791db45b1aea51db705d38978ad62b855b34b32 # v0.4.3
         with:
           working_directory: 04-uv-flat
           package_manager: uv

.github/workflows/05-uv-src-vuln.yml

@@ -22,7 +22,7 @@ jobs:
         run: uv lock
 
       - name: Run security audit
-        uses: lhoupert/action-python-security-auditing@674cb7133ca058d128f654c427add27f8a1df83b # v0.4.2
+        uses: lhoupert/action-python-security-auditing@6791db45b1aea51db705d38978ad62b855b34b32 # v0.4.3
         with:
           working_directory: 05-uv-src-vuln
           package_manager: uv

.github/workflows/06-uv-multi-bandit.yml

@@ -22,7 +22,7 @@ jobs:
         run: uv lock
 
       - name: Run security audit
-        uses: lhoupert/action-python-security-auditing@674cb7133ca058d128f654c427add27f8a1df83b # v0.4.2
+        uses: lhoupert/action-python-security-auditing@6791db45b1aea51db705d38978ad62b855b34b32 # v0.4.3
         with:
           working_directory: 06-uv-multi-bandit
           package_manager: uv

.github/workflows/07-poetry-flat.yml

@@ -22,7 +22,7 @@ jobs:
         run: poetry lock
 
       - name: Run security audit
-        uses: lhoupert/action-python-security-auditing@674cb7133ca058d128f654c427add27f8a1df83b # v0.4.2
+        uses: lhoupert/action-python-security-auditing@6791db45b1aea51db705d38978ad62b855b34b32 # v0.4.3
         with:
           working_directory: 07-poetry-flat
           package_manager: poetry

.github/workflows/08-poetry-src-both.yml

@@ -22,7 +22,7 @@ jobs:
         run: poetry lock
 
       - name: Run security audit
-        uses: lhoupert/action-python-security-auditing@674cb7133ca058d128f654c427add27f8a1df83b # v0.4.2
+        uses: lhoupert/action-python-security-auditing@6791db45b1aea51db705d38978ad62b855b34b32 # v0.4.3
         with:
           working_directory: 08-poetry-src-both
           package_manager: poetry

.github/workflows/09-pipenv-flat.yml

@@ -27,7 +27,7 @@ jobs:
         run: pipenv install
 
       - name: Run security audit
-        uses: lhoupert/action-python-security-auditing@674cb7133ca058d128f654c427add27f8a1df83b # v0.4.2
+        uses: lhoupert/action-python-security-auditing@6791db45b1aea51db705d38978ad62b855b34b32 # v0.4.3
         with:
           working_directory: 09-pipenv-flat
           package_manager: pipenv

.github/workflows/10-pipenv-multi-bandit.yml

@@ -27,7 +27,7 @@ jobs:
         run: pipenv install
 
       - name: Run security audit
-        uses: lhoupert/action-python-security-auditing@674cb7133ca058d128f654c427add27f8a1df83b # v0.4.2
+        uses: lhoupert/action-python-security-auditing@6791db45b1aea51db705d38978ad62b855b34b32 # v0.4.3
         with:
           working_directory: 10-pipenv-multi-bandit
           package_manager: pipenv

.github/workflows/11-requirements-root.yml

@@ -16,7 +16,7 @@ jobs:
           persist-credentials: false
 
       - name: Run security audit
-        uses: lhoupert/action-python-security-auditing@674cb7133ca058d128f654c427add27f8a1df83b # v0.4.2
+        uses: lhoupert/action-python-security-auditing@6791db45b1aea51db705d38978ad62b855b34b32 # v0.4.3
         with:
           package_manager: requirements
           requirements_file: 11-requirements-root/requirements.txt

.github/workflows/12-uv-flat-bandit-only.yml

@@ -16,7 +16,7 @@ jobs:
           persist-credentials: false
 
       - name: Run security audit
-        uses: lhoupert/action-python-security-auditing@674cb7133ca058d128f654c427add27f8a1df83b # v0.4.2
+        uses: lhoupert/action-python-security-auditing@6791db45b1aea51db705d38978ad62b855b34b32 # v0.4.3
         with:
           working_directory: 12-uv-flat-bandit-only
           tools: bandit

.github/workflows/13-requirements-unfixable.yml

@@ -16,7 +16,7 @@ jobs:
           persist-credentials: false
 
       - name: Run security audit
-        uses: lhoupert/action-python-security-auditing@674cb7133ca058d128f654c427add27f8a1df83b # v0.4.2
+        uses: lhoupert/action-python-security-auditing@6791db45b1aea51db705d38978ad62b855b34b32 # v0.4.3
         with:
           working_directory: 13-requirements-unfixable
           package_manager: requirements

.github/workflows/14-uv-low-threshold.yml

@@ -16,7 +16,7 @@ jobs:
           persist-credentials: false
 
       - name: Run security audit
-        uses: lhoupert/action-python-security-auditing@674cb7133ca058d128f654c427add27f8a1df83b # v0.4.2
+        uses: lhoupert/action-python-security-auditing@6791db45b1aea51db705d38978ad62b855b34b32 # v0.4.3
         with:
           working_directory: 14-uv-low-threshold
           tools: bandit

.github/workflows/integration-tests.yml

@@ -143,7 +143,7 @@ jobs:
           NEEDS_JSON: ${{ toJSON(needs) }}
         run: python .github/scripts/validate_results.py
 
-      - name: Post PR comment
+      - name: Post or update PR comment
         if: always()
         env:
           GH_TOKEN: ${{ github.token }}
@@ -152,9 +152,26 @@ jobs:
             echo "No report generated" >&2
             exit 0
           fi
-          # Try to update an existing comment, otherwise create a new one
-          gh pr comment "${{ github.event.pull_request.number }}" \
-            --body-file validation-report.md \
-            --edit-last 2>/dev/null || \
-          gh pr comment "${{ github.event.pull_request.number }}" \
-            --body-file validation-report.md
+
+          MARKER="<!-- integration-test-validation-report -->"
+          PR_NUMBER="${{ github.event.pull_request.number }}"
+
+          # Find existing comment with our marker
+          COMMENT_ID=$(
+            gh api \
+              "repos/${{ github.repository }}/issues/${PR_NUMBER}/comments" \
+              --paginate -q \
+              ".[] | select(.body | contains(\"${MARKER}\")) | .id" \
+            | head -n 1
+          )
+
+          if [ -n "$COMMENT_ID" ]; then
+            gh api \
+              "repos/${{ github.repository }}/issues/comments/${COMMENT_ID}" \
+              --method PATCH \
+              -F "body=@validation-report.md"
+            echo "Updated existing comment ${COMMENT_ID}"
+          else
+            gh pr comment "${PR_NUMBER}" --body-file validation-report.md
+            echo "Created new comment"
+          fi

.vscode/settings.json

@@ -0,0 +1,7 @@
+{
+    "chat.tools.terminal.autoApprove": {
+        "uv": true,
+        "git push": true,
+        "gh": true
+    }
+}

11-requirements-root/requirements.txt

@@ -1 +1 @@
-flask==3.1.1
+flask==3.1.3

expected_results.yml

@@ -56,7 +56,7 @@ tests:
     bandit_findings:
       - rule_id: B506
         level: warning
-      - rule_id: B303
+      - rule_id: B324
         level: warning
     pip_audit_findings: []
 
@@ -70,7 +70,7 @@ tests:
     name: "poetry · src/ · bandit MEDIUM + pip-audit"
     expected_conclusion: failure
     bandit_findings:
-      - rule_id: B303
+      - rule_id: B324
         level: warning
       - rule_id: B105
         level: warning