[ci] Use pull_request_target for codeowner approved label workflow (#14561)

.github/scripts/codeowners.js

@@ -2,7 +2,7 @@
 //
 // Used by:
 //   - codeowner-review-request.yml
-//   - codeowner-approved-label.yml + codeowner-approved-label-update.yml
+//   - codeowner-approved-label-update.yml
 //   - auto-label-pr/detectors.js (detectCodeOwner)
 
 /**

.github/workflows/codeowner-approved-label-update.yml

@@ -1,13 +1,15 @@
-# Fallback for fork PRs: phase 1 (codeowner-approved-label.yml) handles
+# Adds/removes a 'code-owner-approved' label when a component-specific
-# non-fork PRs directly but can't write labels on fork PRs (read-only token).
+# codeowner approves (or dismisses) a PR.
-# This workflow re-determines the action and applies it if needed.
+#
+# Uses pull_request_target so that fork PRs do not require workflow approval.
+# The label is reconciled on every PR update; for review events specifically,
+# this means the label is applied on the next push after a codeowner review.
 
-name: Codeowner Approved Label Update
+name: Codeowner Approved Label
 
 on:
-  workflow_run:
+  pull_request_target:
-    workflows: ["Codeowner Approved Label"]
+    types: [opened, synchronize, reopened, ready_for_review]
-    types: [completed]
 
 permissions:
   issues: write
@@ -15,51 +17,23 @@ permissions:
   contents: read
 
 jobs:
-  update-label:
+  codeowner-approved:
     name: Run
-    if: >
+    if: ${{ github.repository == 'esphome/esphome' }}
-      github.event.workflow_run.conclusion == 'success' &&
-      github.event.workflow_run.event == 'pull_request_review'
     runs-on: ubuntu-latest
     steps:
-      - name: Get PR details
+      - name: Checkout base branch
-        id: pr
-        env:
-          GH_TOKEN: ${{ github.token }}
-          HEAD_SHA: ${{ github.event.workflow_run.head_sha }}
-          REPO: ${{ github.repository }}
-        run: |
-          pr_data=$(gh pr list --repo "$REPO" --state open --search "$HEAD_SHA" \
-            --json number,baseRefName --jq '.[0] // empty')
-
-          if [ -z "$pr_data" ]; then
-            echo "No open PR found for SHA $HEAD_SHA, skipping"
-            echo "skip=true" >> "$GITHUB_OUTPUT"
-            exit 0
-          fi
-
-          pr_number=$(echo "$pr_data" | jq -r '.number')
-          base_ref=$(echo "$pr_data" | jq -r '.baseRefName')
-
-          echo "pr_number=$pr_number" >> "$GITHUB_OUTPUT"
-          echo "base_ref=$base_ref" >> "$GITHUB_OUTPUT"
-          echo "Found PR #$pr_number targeting $base_ref"
-
-      - name: Checkout base repository
-        if: steps.pr.outputs.skip != 'true'
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
-          repository: ${{ github.repository }}
+          ref: ${{ github.event.pull_request.base.sha }}
-          ref: ${{ steps.pr.outputs.base_ref }}
           sparse-checkout: |
             .github/scripts/codeowners.js
             CODEOWNERS
 
-      - name: Update label
+      - name: Check codeowner approval and update label
-        if: steps.pr.outputs.skip != 'true'
         uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         env:
-          PR_NUMBER: ${{ steps.pr.outputs.pr_number }}
+          PR_NUMBER: ${{ github.event.pull_request.number }}
         with:
           script: |
             const { loadCodeowners, determineLabelAction, LabelAction } = require('./.github/scripts/codeowners.js');
@@ -76,6 +50,11 @@ jobs:
               github, owner, repo, pr_number, codeownersPatterns, LABEL_NAME
             );
 
+            if (action === LabelAction.NONE) {
+              console.log('No label change needed');
+              return;
+            }
+
             if (action === LabelAction.ADD) {
               await github.rest.issues.addLabels({
                 owner, repo, issue_number: pr_number, labels: [LABEL_NAME]
@@ -90,6 +69,4 @@ jobs:
               } catch (error) {
                 if (error.status !== 404) throw error;
               }
-            } else {
-              console.log('No label change needed');
             }

.github/workflows/codeowner-approved-label.yml

@@ -1,78 +0,0 @@
-# Adds/removes a 'code-owner-approved' label when a component-specific
-# codeowner approves (or dismisses) a PR.
-#
-# Handles non-fork PRs directly. For fork PRs the GITHUB_TOKEN is read-only,
-# so label writes are deferred to codeowner-approved-label-update.yml which
-# triggers via workflow_run with write permissions.
-
-name: Codeowner Approved Label
-
-on:
-  pull_request_review:
-    types: [submitted, dismissed]
-
-permissions:
-  issues: write
-  pull-requests: read
-  contents: read
-
-jobs:
-  codeowner-approved:
-    name: Run
-    if: ${{ github.repository == 'esphome/esphome' }}
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout base branch
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          ref: ${{ github.event.pull_request.base.sha }}
-          sparse-checkout: |
-            .github/scripts/codeowners.js
-            CODEOWNERS
-
-      - name: Check codeowner approval and update label
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
-        env:
-          PR_NUMBER: ${{ github.event.pull_request.number }}
-        with:
-          script: |
-            const { loadCodeowners, determineLabelAction, LabelAction } = require('./.github/scripts/codeowners.js');
-
-            const owner = context.repo.owner;
-            const repo = context.repo.repo;
-            const pr_number = parseInt(process.env.PR_NUMBER, 10);
-            const LABEL_NAME = 'code-owner-approved';
-
-            console.log(`Processing PR #${pr_number} for codeowner approval label`);
-
-            const codeownersPatterns = loadCodeowners();
-            const action = await determineLabelAction(
-              github, owner, repo, pr_number, codeownersPatterns, LABEL_NAME
-            );
-
-            if (action === LabelAction.NONE) {
-              console.log('No label change needed');
-              return;
-            }
-
-            try {
-              if (action === LabelAction.ADD) {
-                await github.rest.issues.addLabels({
-                  owner, repo, issue_number: pr_number, labels: [LABEL_NAME]
-                });
-                console.log(`Added '${LABEL_NAME}' label`);
-              } else if (action === LabelAction.REMOVE) {
-                await github.rest.issues.removeLabel({
-                  owner, repo, issue_number: pr_number, name: LABEL_NAME
-                });
-                console.log(`Removed '${LABEL_NAME}' label`);
-              }
-            } catch (error) {
-              if (error.status === 403) {
-                console.log('Fork PR: deferring label write to phase 2 workflow');
-              } else if (error.status === 404) {
-                console.log('Label already removed');
-              } else {
-                throw error;
-              }
-            }