Automating RBAC HTML Reports to PR Comments: Review-Driven Security in GitHub Actions

Keeping track of access control changes is hard — unless your CI does it for you.

This guide shows how to:

• Generate a Role × Field matrix in HTML
• Detect diffs between dev and prod RBAC
• Auto-post a visual report as a comment on the related GitHub Pull Request

No more guessing who can access what — reviewers get it inline and real-time.

1. Output Format: HTML Report

Use your rbac-matrix.js or similar script to generate:

node rbac-matrix.js metadata-dev/ > rbac-dev.csv
node rbac-matrix.js metadata-prod/ > rbac-prod.csv
node diff-rbac.js rbac-dev.csv rbac-prod.csv > rbac-diff.html

Example table (simplified):

RoleTableFieldDiff
  
    userinvoicesamount style="color: red;">SELECT: Removed
    adminlogsip_address style="color: green;">INSERT: Added

Wrap this with:

RBAC Drift Report
...table here...

2. GitHub Actions Workflow

Step 1: Prepare workflow file .github/workflows/rbac-report.yml

name: RBAC Diff and PR Comment

on:
  pull_request:
    paths:
      - 'metadata/**'

jobs:
  rbac-diff:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3

      - name: Setup Node
        uses: actions/setup-node@v3
        with:
          node-version: '18'

      - name: Install Deps
        run: npm install

      - name: Generate RBAC Diff Report
        run: |
          node rbac-matrix.js metadata-dev/ > rbac-dev.csv
          node rbac-matrix.js metadata-prod/ > rbac-prod.csv
          node diff-rbac.js rbac-dev.csv rbac-prod.csv > rbac-diff.html

      - name: Post Comment
        uses: peter-evans/create-or-update-comment@v4
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
          issue-number: ${{ github.event.pull_request.number }}
          body-path: ./rbac-diff.html
          edit-mode: replace

💡 Tip: edit-mode: replace ensures one comment is reused, not spammed on every run.

3. Optional: Format HTML as Markdown for Better PR UX

Instead of full HTML table, convert to GitHub-flavored Markdown table in diff-rbac.js:

| Role | Table | Field | Diff |
|------|-------|--------|------|
| user | invoices | amount | ~~SELECT~~ ❌ |
| admin | logs | ip_address | ✅ INSERT |

Then use body-path: rbac-diff.md

4. Result in PR

When a contributor changes Hasura metadata in a PR:

✅ RBAC diff is generated

✅ Visual diff table is posted as PR comment

✅ Reviewers can approve/reject RBAC changes inline

Final Thoughts

RBAC is infrastructure. Treat it like code.

When security drifts silently, CI must speak loudly.

With RBAC visual bots in place, your team never misses a permission gap again.

Next:

• Slack alerts on critical diffs
• Diff severity heatmaps
• RBAC policy-as-code enforcement gate

Comment the matrix. Review the diff. Secure the graph.