[CI] Add org fork detection warning to auto-label PR workflow (#15588)

2026-05-22 01:42:49 +08:00 · 2026-04-10 12:13:22 +12:00
parent ab71f5276f
commit 668007707d
4 changed files with 91 additions and 7 deletions
@@ -4,6 +4,7 @@ module.exports = {
  CODEOWNERS_MARKER: '<!-- codeowners-request -->',
  TOO_BIG_MARKER: '<!-- too-big-request -->',
  DEPRECATED_COMPONENT_MARKER: '<!-- deprecated-component-request -->',
+  ORG_FORK_MARKER: '<!-- maintainer-access-warning -->',

  MANAGED_LABELS: [
    'new-component',
@@ -281,6 +281,24 @@ async function detectDeprecatedComponents(github, context, changedFiles) {
  return { labels, deprecatedInfo };
 }

+// Strategy: Detect when maintainers cannot modify the PR branch
+function detectMaintainerAccess(context) {
+  const pr = context.payload.pull_request;
+
+  // Only relevant for cross-repo PRs (forks)
+  if (!pr.head.repo || pr.head.repo.full_name === pr.base.repo.full_name) {
+    return null;
+  }
+
+  if (pr.maintainer_can_modify) {
+    return null;
+  }
+
+  const isOrgFork = pr.head.repo.owner.type === 'Organization';
+  console.log(`Maintainer cannot modify PR branch (${isOrgFork ? 'org fork: ' + pr.head.repo.owner.login : 'user disabled'})`);
+  return { isOrgFork, orgName: pr.head.repo.owner.login };
+}
+
 // Strategy: Requirements detection
 async function detectRequirements(allLabels, prFiles, context) {
  const labels = new Set();
@@ -329,5 +347,6 @@ module.exports = {
  detectTests,
  detectPRTemplateCheckboxes,
  detectDeprecatedComponents,
+  detectMaintainerAccess,
  detectRequirements
 };
@@ -12,9 +12,10 @@ const {
  detectTests,
  detectPRTemplateCheckboxes,
  detectDeprecatedComponents,
+  detectMaintainerAccess,
  detectRequirements
 } = require('./detectors');
-const { handleReviews } = require('./reviews');
+const { handleReviews, handleMaintainerAccessComment } = require('./reviews');
 const { applyLabels, removeOldLabels } = require('./labels');

 // Fetch API data
@@ -114,7 +115,8 @@ module.exports = async ({ github, context }) => {
    codeOwnerLabels,
    testLabels,
    checkboxLabels,
-    deprecatedResult
+    deprecatedResult,
+    maintainerAccess
  ] = await Promise.all([
    detectMergeBranch(context),
    detectComponentPlatforms(changedFiles, apiData),
@@ -127,7 +129,8 @@ module.exports = async ({ github, context }) => {
    detectCodeOwner(github, context, changedFiles),
    detectTests(changedFiles),
    detectPRTemplateCheckboxes(context),
-    detectDeprecatedComponents(github, context, changedFiles)
+    detectDeprecatedComponents(github, context, changedFiles),
+    detectMaintainerAccess(context)
  ]);

  // Extract deprecated component info
@@ -177,8 +180,11 @@ module.exports = async ({ github, context }) => {

  console.log('Computed labels:', finalLabels.join(', '));

-  // Handle reviews
-  await handleReviews(github, context, finalLabels, originalLabelCount, deprecatedInfo, prFiles, totalAdditions, totalDeletions, MAX_LABELS, TOO_BIG_THRESHOLD);
+  // Handle reviews and org fork comment
+  await Promise.all([
+    handleReviews(github, context, finalLabels, originalLabelCount, deprecatedInfo, prFiles, totalAdditions, totalDeletions, MAX_LABELS, TOO_BIG_THRESHOLD),
+    handleMaintainerAccessComment(github, context, maintainerAccess)
+  ]);

  // Apply labels
  await applyLabels(github, context, finalLabels);
@@ -2,7 +2,8 @@ const {
  BOT_COMMENT_MARKER,
  CODEOWNERS_MARKER,
  TOO_BIG_MARKER,
-  DEPRECATED_COMPONENT_MARKER
+  DEPRECATED_COMPONENT_MARKER,
+  ORG_FORK_MARKER
 } = require('./constants');

 // Generate review messages
@@ -136,6 +137,63 @@ async function handleReviews(github, context, finalLabels, originalLabelCount, d
  }
 }

+// Handle maintainer access warning comment
+async function handleMaintainerAccessComment(github, context, maintainerAccess) {
+  if (!maintainerAccess) {
+    return;
+  }
+
+  const { owner, repo } = context.repo;
+  const pr_number = context.issue.number;
+  const prAuthor = context.payload.pull_request.user.login;
+
+  // Check if we already posted the warning (iterate pages to exit early)
+  let existingComment;
+  for await (const { data: comments } of github.paginate.iterator(
+    github.rest.issues.listComments,
+    { owner, repo, issue_number: pr_number }
+  )) {
+    existingComment = comments.find(comment =>
+      comment.user.type === 'Bot' &&
+      comment.body && comment.body.includes(ORG_FORK_MARKER)
+    );
+    if (existingComment) {
+      break;
+    }
+  }
+
+  if (existingComment) {
+    console.log('Maintainer access warning comment already exists, skipping');
+    return;
+  }
+
+  let body;
+  if (maintainerAccess.isOrgFork) {
+    body = `${ORG_FORK_MARKER}\n### ⚠️ Organization Fork Detected\n\n` +
+      `Hey there @${prAuthor},\n` +
+      `It looks like this PR was submitted from a fork owned by the **${maintainerAccess.orgName}** organization. ` +
+      `GitHub does not allow maintainers to push changes to pull request branches when the fork is owned by an organization. ` +
+      `This means we won't be able to make small adjustments or fixups to your PR directly.\n\n` +
+      `To allow maintainer collaboration, please re-submit this PR from a personal fork instead.\n\n` +
+      `See: [Setting up the local repository](https://developers.esphome.io/contributing/development-environment/?h=org#set-up-the-local-repository) for more details.`;
+  } else {
+    body = `${ORG_FORK_MARKER}\n### ⚠️ Maintainer Access Disabled\n\n` +
+      `Hey there @${prAuthor},\n` +
+      `It looks like this PR does not have the "Allow edits from maintainers" option enabled. ` +
+      `This means we won't be able to make small adjustments or fixups to your PR directly.\n\n` +
+      `Please enable this option in the PR sidebar to allow maintainer collaboration.`;
+  }
+
+  await github.rest.issues.createComment({
+    owner,
+    repo,
+    issue_number: pr_number,
+    body
+  });
+  console.log('Created maintainer access warning comment');
+}
+
 module.exports = {
-  handleReviews
+  handleReviews,
+  handleMaintainerAccessComment
 };