Mirrors_Framework/esphome
1
0
Fork 0
mirror of https://github.com/esphome/esphome.git synced 2026-05-10 05:37:55 +08:00
Code Issues Actions 7 Packages Projects Releases Wiki Activity

[ci] Use pull_request_target for codeowner approved label workflow (#14561)

Browse Source
This commit is contained in:
J. Nick Koston
2026-03-06 07:33:05 -10:00
committed by GitHub
parent 82629c397f
commit 6e3bc7b1dd
3 changed files with 21 additions and 122 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.github/scripts/codeowners.js
+1 -1
View File
@@ -2,7 +2,7 @@
//
// Used by:
// - codeowner-review-request.yml
// - codeowner-approved-label.yml + codeowner-approved-label-update.yml
// - codeowner-approved-label-update.yml
// - auto-label-pr/detectors.js (detectCodeOwner)
/**
.github/workflows/codeowner-approved-label-update.yml
+20 -43
View File
@@ -1,13 +1,15 @@
# Fallback for fork PRs: phase 1 (codeowner-approved-label.yml) handles
# non-fork PRs directly but can't write labels on fork PRs (read-only token).
# This workflow re-determines the action and applies it if needed.
# Adds/removes a 'code-owner-approved' label when a component-specific
# codeowner approves (or dismisses) a PR.
#
# Uses pull_request_target so that fork PRs do not require workflow approval.
# The label is reconciled on every PR update; for review events specifically,
# this means the label is applied on the next push after a codeowner review.
name: Codeowner Approved Label Update
name: Codeowner Approved Label
on:
workflow_run:
workflows: ["Codeowner Approved Label"]
types: [completed]
pull_request_target:
types: [opened, synchronize, reopened, ready_for_review]
permissions:
issues: write
@@ -15,51 +17,23 @@ permissions:
contents: read
jobs:
update-label:
codeowner-approved:
name: Run
if: >
github.event.workflow_run.conclusion == 'success' &&
github.event.workflow_run.event == 'pull_request_review'
if: ${{ github.repository == 'esphome/esphome' }}
runs-on: ubuntu-latest
steps:
- name: Get PR details
id: pr
env:
GH_TOKEN: ${{ github.token }}
HEAD_SHA: ${{ github.event.workflow_run.head_sha }}
REPO: ${{ github.repository }}
run: |
pr_data=$(gh pr list --repo "$REPO" --state open --search "$HEAD_SHA" \
--json number,baseRefName --jq '.[0] // empty')
if [ -z "$pr_data" ]; then
echo "No open PR found for SHA $HEAD_SHA, skipping"
echo "skip=true" >> "$GITHUB_OUTPUT"
exit 0
fi
pr_number=$(echo "$pr_data" | jq -r '.number')
base_ref=$(echo "$pr_data" | jq -r '.baseRefName')
echo "pr_number=$pr_number" >> "$GITHUB_OUTPUT"
echo "base_ref=$base_ref" >> "$GITHUB_OUTPUT"
echo "Found PR #$pr_number targeting $base_ref"
- name: Checkout base repository
if: steps.pr.outputs.skip != 'true'
- name: Checkout base branch
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
repository: ${{ github.repository }}
ref: ${{ steps.pr.outputs.base_ref }}
ref: ${{ github.event.pull_request.base.sha }}
sparse-checkout: |
.github/scripts/codeowners.js
CODEOWNERS
- name: Update label
if: steps.pr.outputs.skip != 'true'
- name: Check codeowner approval and update label
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
env:
PR_NUMBER: ${{ steps.pr.outputs.pr_number }}
PR_NUMBER: ${{ github.event.pull_request.number }}
with:
script: |
const { loadCodeowners, determineLabelAction, LabelAction } = require('./.github/scripts/codeowners.js');
@@ -76,6 +50,11 @@ jobs:
github, owner, repo, pr_number, codeownersPatterns, LABEL_NAME
);
if (action === LabelAction.NONE) {
console.log('No label change needed');
return;
}
if (action === LabelAction.ADD) {
await github.rest.issues.addLabels({
owner, repo, issue_number: pr_number, labels: [LABEL_NAME]
@@ -90,6 +69,4 @@ jobs:
} catch (error) {
if (error.status !== 404) throw error;
}
} else {
console.log('No label change needed');
}
.github/workflows/codeowner-approved-label.yml
-78
View File
@@ -1,78 +0,0 @@
# Adds/removes a 'code-owner-approved' label when a component-specific
# codeowner approves (or dismisses) a PR.
#
# Handles non-fork PRs directly. For fork PRs the GITHUB_TOKEN is read-only,
# so label writes are deferred to codeowner-approved-label-update.yml which
# triggers via workflow_run with write permissions.
name: Codeowner Approved Label
on:
pull_request_review:
types: [submitted, dismissed]
permissions:
issues: write
pull-requests: read
contents: read
jobs:
codeowner-approved:
name: Run
if: ${{ github.repository == 'esphome/esphome' }}
runs-on: ubuntu-latest
steps:
- name: Checkout base branch
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
ref: ${{ github.event.pull_request.base.sha }}
sparse-checkout: |
.github/scripts/codeowners.js
CODEOWNERS
- name: Check codeowner approval and update label
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
env:
PR_NUMBER: ${{ github.event.pull_request.number }}
with:
script: |
const { loadCodeowners, determineLabelAction, LabelAction } = require('./.github/scripts/codeowners.js');
const owner = context.repo.owner;
const repo = context.repo.repo;
const pr_number = parseInt(process.env.PR_NUMBER, 10);
const LABEL_NAME = 'code-owner-approved';
console.log(`Processing PR #${pr_number} for codeowner approval label`);
const codeownersPatterns = loadCodeowners();
const action = await determineLabelAction(
github, owner, repo, pr_number, codeownersPatterns, LABEL_NAME
);
if (action === LabelAction.NONE) {
console.log('No label change needed');
return;
}
try {
if (action === LabelAction.ADD) {
await github.rest.issues.addLabels({
owner, repo, issue_number: pr_number, labels: [LABEL_NAME]
});
console.log(`Added '${LABEL_NAME}' label`);
} else if (action === LabelAction.REMOVE) {
await github.rest.issues.removeLabel({
owner, repo, issue_number: pr_number, name: LABEL_NAME
});
console.log(`Removed '${LABEL_NAME}' label`);
}
} catch (error) {
if (error.status === 403) {
console.log('Fork PR: deferring label write to phase 2 workflow');
} else if (error.status === 404) {
console.log('Label already removed');
} else {
throw error;
}
}