-
Notifications
You must be signed in to change notification settings - Fork 72
40 lines (36 loc) · 1.41 KB
/
label-external-prs.yml
File metadata and controls
40 lines (36 loc) · 1.41 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
# SECURITY: This workflow uses pull_request_target. Do NOT add actions/checkout
# with a PR-controlled ref: that would execute attacker code with write access
# to secrets. Only read pull_request metadata.
name: Label External PRs for Import
on:
pull_request_target:
types: [closed]
branches: [main]
permissions:
pull-requests: write
concurrency:
group: label-external-pr-${{ github.event.pull_request.number }}
cancel-in-progress: false
# Partial cancellation could leave a PR unlabeled; label application is
# idempotent so letting both runs finish is safe.
jobs:
label:
# Skip unmerged closes and the automated upstream-sync squash PRs.
# Bot author AND sync branch are both checked as belt-and-suspenders;
# either alone is sufficient to identify a sync PR.
if: >-
github.repository == 'circlefin/arc-node' &&
github.event.pull_request.merged == true &&
!(github.event.pull_request.user.login == 'circle-github-action-bot' &&
github.event.pull_request.head.ref == 'sync/copybara-export')
runs-on: ubuntu-latest
timeout-minutes: 5
steps:
- name: Apply pending-import label
env:
GH_TOKEN: ${{ github.token }}
PR_NUMBER: ${{ github.event.pull_request.number }}
REPO: ${{ github.repository }}
run: |
set -euo pipefail
gh pr edit "${PR_NUMBER}" --repo "${REPO}" --add-label pending-import