From 74ab11fb67cfde150639b7ac6ac055a66f8ade45 Mon Sep 17 00:00:00 2001 From: Hector Castejon Diaz Date: Fri, 12 Jun 2026 05:52:01 +0000 Subject: [PATCH 1/2] Add sync-label check: PRs need the maintainer-applied 'sync' label This repo is a read-only mirror of the internal source of truth; the only PRs that should merge are release syncs. The check fails unless the PR carries the 'sync' label (triage+ permission to apply), so a merge always requires a deliberate maintainer act. Temporary until release automation takes over merging. Signed-off-by: Hector Castejon Diaz --- .github/workflows/sync-label.yml | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 .github/workflows/sync-label.yml diff --git a/.github/workflows/sync-label.yml b/.github/workflows/sync-label.yml new file mode 100644 index 000000000..948ede703 --- /dev/null +++ b/.github/workflows/sync-label.yml @@ -0,0 +1,24 @@ +# This repository is a read-only mirror; the only PRs that should +# merge are the release sync PRs from the internal source of truth. +# This check fails unless the PR carries the `sync` label, which only +# maintainers can apply — making every merge a deliberate act. +# Temporary guard until release automation takes over merging. +name: Sync label + +on: + pull_request: + types: [opened, reopened, synchronize, labeled, unlabeled] + +jobs: + sync-label: + name: sync-label + runs-on: ubuntu-latest + steps: + - name: Require the `sync` label + if: ${{ !contains(github.event.pull_request.labels.*.name, 'sync') }} + run: | + echo "::error::This PR does not carry the 'sync' label. This repository is a read-only mirror — only release sync PRs merge here. If this IS a release sync PR, a maintainer must apply the 'sync' label; community contributions are re-applied in the internal repository instead (see CONTRIBUTING.md)." + exit 1 + - name: Label present + if: ${{ contains(github.event.pull_request.labels.*.name, 'sync') }} + run: echo "sync label present — this is a release sync PR." From b7da97ea898d30f9bfba0327cd10815a7bccb30f Mon Sep 17 00:00:00 2001 From: Hector Castejon Diaz Date: Fri, 12 Jun 2026 08:42:44 +0000 Subject: [PATCH 2/2] sync-label: pass trivially on merge_group The label gate runs at PR level (required checks must pass to enter the merge queue). Without a merge_group trigger, a required sync-label check would never report on queue groups and stall every entry. Signed-off-by: Hector Castejon Diaz --- .github/workflows/sync-label.yml | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/.github/workflows/sync-label.yml b/.github/workflows/sync-label.yml index 948ede703..6a7305dba 100644 --- a/.github/workflows/sync-label.yml +++ b/.github/workflows/sync-label.yml @@ -8,17 +8,26 @@ name: Sync label on: pull_request: types: [opened, reopened, synchronize, labeled, unlabeled] + # The label gate runs at PR level — a PR can't enter the merge queue + # until this check passes there. Merge-group events carry no label + # context, so on them the job passes trivially; without this trigger + # a required sync-label check would stall every queue entry. + merge_group: + types: [checks_requested] jobs: sync-label: name: sync-label runs-on: ubuntu-latest steps: + - name: Merge queue — gate already applied at PR level + if: ${{ github.event_name == 'merge_group' }} + run: echo "merge group — sync label was enforced when the PR entered the queue." - name: Require the `sync` label - if: ${{ !contains(github.event.pull_request.labels.*.name, 'sync') }} + if: ${{ github.event_name == 'pull_request' && !contains(github.event.pull_request.labels.*.name, 'sync') }} run: | echo "::error::This PR does not carry the 'sync' label. This repository is a read-only mirror — only release sync PRs merge here. If this IS a release sync PR, a maintainer must apply the 'sync' label; community contributions are re-applied in the internal repository instead (see CONTRIBUTING.md)." exit 1 - name: Label present - if: ${{ contains(github.event.pull_request.labels.*.name, 'sync') }} + if: ${{ github.event_name == 'pull_request' && contains(github.event.pull_request.labels.*.name, 'sync') }} run: echo "sync label present — this is a release sync PR."