chore: add CODEOWNERS check action and auto-triage Bonk job (#30743)

* chore: add CODEOWNERS check action and auto-triage Bonk job

* chore: fix prettier formatting in check-codeowner action

* chore: add explicit permissions to check-codeowner job

* Update .github/actions/check-codeowner/index.ts

Co-authored-by: ask-bonk[bot] <249159057+ask-bonk[bot]@users.noreply.github.com>

* fix: prettier-compatible regex and literal newline in check-codeowner action

---------

Co-authored-by: ask-bonk[bot] <249159057+ask-bonk[bot]@users.noreply.github.com>

Author: mvvmm

.github/actions/check-codeowner/action.yml

@@ -0,0 +1,15 @@
+name: "Check CODEOWNERS"
+description: "Check whether the event actor is listed in CODEOWNERS, including team membership."
+
+inputs:
+  GH_ORG_TOKEN:
+    description: "Token with read:org scope for resolving team membership"
+    required: true
+
+outputs:
+  is-codeowner:
+    description: "true if the actor is a CODEOWNER, false otherwise"
+
+runs:
+  using: "node24"
+  main: "index.js"

.github/actions/check-codeowner/index.js

@@ -0,0 +1,116 @@
+// NOTE: This is the source file!
+// ~> Run `pnpm run build` to produce `index.js`
+
+import * as core from "@actions/core";
+import * as github from "@actions/github";
+
+type Octokit = ReturnType<typeof github.getOctokit>;
+
+function getActor(): string {
+	const { eventName, payload } = github.context;
+
+	switch (eventName) {
+		case "pull_request_target":
+			return payload.pull_request?.user?.login ?? "";
+		case "issue_comment":
+		case "pull_request_review_comment":
+			return payload.comment?.user?.login ?? "";
+		case "pull_request_review":
+			return payload.review?.user?.login ?? "";
+		default:
+			return "";
+	}
+}
+
+async function isTeamMember(
+	octokit: Octokit,
+	org: string,
+	teamSlug: string,
+	username: string,
+): Promise<boolean> {
+	try {
+		const { data } = await octokit.rest.teams.getMembershipForUserInOrg({
+			org,
+			team_slug: teamSlug,
+			username,
+		});
+		return data.state === "active";
+	} catch {
+		return false;
+	}
+}
+
+async function isCodeowner(octokit: Octokit, actor: string): Promise<boolean> {
+	const { repo, owner } = github.context.repo;
+
+	// Fetch CODEOWNERS from the base branch via API — never from a checkout,
+	// so a PR branch cannot tamper with it.
+	const { data } = await octokit.rest.repos.getContent({
+		owner,
+		repo,
+		path: ".github/CODEOWNERS",
+	});
+
+	if (!("content" in data)) {
+		throw new Error("CODEOWNERS is not a file");
+	}
+
+	const content = Buffer.from(data.content, "base64").toString("utf-8");
+
+	// Collect all unique owner tokens from the file, ignoring comments and blank lines.
+	const ownerPattern = new RegExp(
+		"@([a-zA-Z0-9_.-]+(?:/[a-zA-Z0-9_.-]+)?)",
+		"g",
+	);
+	const owners = Array.from(
+		new Set(
+			content
+				.split("\n")
+				.filter((line) => line.trim() && !line.trim().startsWith("#"))
+				.flatMap((line) =>
+					Array.from(line.matchAll(ownerPattern)).map((m) => m[1]),
+				),
+		),
+	);
+
+	for (const ownerEntry of owners) {
+		if (ownerEntry.includes("/")) {
+			// Team reference: org/team-slug
+			const [org, teamSlug] = ownerEntry.split("/");
+			if (await isTeamMember(octokit, org, teamSlug, actor)) {
+				return true;
+			}
+		} else {
+			// Individual user
+			if (ownerEntry.toLowerCase() === actor.toLowerCase()) {
+				return true;
+			}
+		}
+	}
+
+	return false;
+}
+
+(async function () {
+	try {
+		const token = core.getInput("GH_ORG_TOKEN", { required: true });
+		const octokit = github.getOctokit(token);
+
+		const actor = getActor();
+
+		if (!actor) {
+			core.info(`Unsupported event: ${github.context.eventName}. Skipping.`);
+			core.setOutput("is-codeowner", "false");
+			return;
+		}
+
+		core.info(`Checking CODEOWNERS for actor: ${actor}`);
+
+		const result = await isCodeowner(octokit, actor);
+
+		core.info(`${actor} is${result ? "" : " not"} a CODEOWNER`);
+		core.setOutput("is-codeowner", String(result));
+	} catch (error) {
+		core.setFailed(error instanceof Error ? error.message : String(error));
+	}
+})();

.github/actions/check-codeowner/index.ts

@@ -0,0 +1,13 @@
+{
+	"private": true,
+	"version": "0.0.0",
+	"name": "check-codeowner",
+	"scripts": {
+		"build": "esbuild index.ts --bundle --format=cjs --platform=node --minify --outfile=index.js"
+	},
+	"devDependencies": {
+		"@actions/core": "3.0.0",
+		"@actions/github": "9.0.0",
+		"esbuild": "0.14.39"
+	}
+}

.github/actions/check-codeowner/package.json

@@ -7,15 +7,40 @@ on:
     types: [created]
   pull_request_review:
     types: [submitted]
+  pull_request_target:
+    types: [opened]
 
 concurrency:
   # intentionally hardcoded so that all Bonk workflows coexist peacefully
   group: bonk-${{ github.event.pull_request.number || github.event.issue.number || github.ref }}
   cancel-in-progress: false
 
 jobs:
+  check-codeowner:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    outputs:
+      is-codeowner: ${{ steps.check.outputs.is-codeowner }}
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          fetch-depth: 1
+
+      - name: Check CODEOWNERS
+        id: check
+        uses: ./.github/actions/check-codeowner
+        with:
+          GH_ORG_TOKEN: ${{ secrets.GH_ORG_TOKEN }}
+
   bonk:
-    if: github.event.sender.type != 'Bot' && contains(github.event.comment.body, '/bonk') && !contains(github.event.comment.body, '/bigbonk')
+    needs: check-codeowner
+    if: |
+      needs.check-codeowner.outputs.is-codeowner == 'true' &&
+      github.event.sender.type != 'Bot' &&
+      contains(github.event.comment.body, '/bonk') &&
+      !contains(github.event.comment.body, '/bigbonk')
     runs-on: ubuntu-latest
     timeout-minutes: 30
     permissions:
@@ -63,3 +88,39 @@ jobs:
           agent: docs
           mentions: "/bonk"
           permissions: CODEOWNERS
+
+  bonk-auto-triage:
+    needs: check-codeowner
+    # pull_request_target is used instead of pull_request so secrets are available,
+    # but we do NOT check out or execute the PR's code — Bonk reads context via the
+    # GitHub API only.
+    if: |
+      needs.check-codeowner.outputs.is-codeowner == 'true' &&
+      github.event_name == 'pull_request_target' &&
+      github.event.sender.type != 'Bot'
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    permissions:
+      id-token: write
+      contents: read
+      issues: write
+      pull-requests: write
+    steps:
+      - name: Run Lil Bonk (auto-triage)
+        uses: ask-bonk/ask-bonk/github@main
+        env:
+          CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CF_AI_GATEWAY_ACCOUNT_ID }}
+          CLOUDFLARE_GATEWAY_ID: ${{ secrets.CF_AI_GATEWAY_NAME }}
+          CLOUDFLARE_API_TOKEN: ${{ secrets.CF_AI_GATEWAY_TOKEN }}
+        with:
+          model: "cloudflare-ai-gateway/workers-ai/@cf/moonshotai/kimi-k2.6"
+          agent: docs
+          permissions: CODEOWNERS
+          token_permissions: NO_PUSH
+          prompt: |
+            Triage this pull request. Review the title, description, and diff.
+            Apply appropriate labels, summarize what the PR changes, and flag
+            any issues that need attention from a maintainer (e.g. missing
+            description, broken links, incorrect frontmatter, style guide
+            violations). You may suggest specific code changes as inline review
+            comments, but do not push commits or open new PRs.