Fix web pixel bundle_ui step #41
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Gardener - Notify Event | |
| # Tiny event capturer: stashes the triggering issue/PR payload as an artifact | |
| # for `gardener-notify-slack.yml` to pick up via workflow_run. | |
| # | |
| # Fires when `devtools-gardener` is applied manually, or automatically for | |
| # Dependabot-opened PRs (which we always want in Slack). Other `opened` | |
| # events are ignored — auto-labeling everything turned out too noisy. | |
| # | |
| # Why two workflows? When Dependabot triggers a workflow, GitHub forces | |
| # GITHUB_TOKEN to read-only and hides Actions secrets — so labeling and | |
| # Slack posting from this workflow would fail on Dependabot PRs. A | |
| # workflow_run-triggered follow-up runs in the default-branch context with | |
| # full permissions and secret access, regardless of the upstream actor. | |
| # | |
| # Uses pull_request_target so fork PRs still produce an artifact when | |
| # labeled. No code is checked out here; this workflow only reads the | |
| # pre-parsed event payload, so there is no pwn-request surface. | |
| on: | |
| issues: | |
| types: [labeled] | |
| pull_request_target: | |
| types: [opened, labeled] | |
| permissions: | |
| contents: read | |
| jobs: | |
| capture: | |
| if: >- | |
| github.event.label.name == 'devtools-gardener' || | |
| (github.event.action == 'opened' && github.event.pull_request.user.login == 'dependabot[bot]') | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Stash event payload | |
| run: cp "$GITHUB_EVENT_PATH" event.json | |
| - uses: actions/upload-artifact@v4 | |
| with: | |
| name: gardener-event | |
| path: event.json | |
| retention-days: 1 |