Bug fixes for "Member Activity Trigger", address edge cases

[t-will-gillis]

Fixes #8323

What changes did you make?

1. in activity-trigger.yml, added logic to github-token so that it defaults to github.token when secrets.HACKFORLA_GRAPHQL_TOKEN is restricted for security reasons (i.e. "pull_request_review")
2. In activity-trigger.js, EXCLUDED_ACTORS is refactored to multi-line
3. In the same file, the actor called assignee was changed to eventObserver. The new variable refers to the primary assignee when available, or to the issue author if not. Note also that the primary issue assignee is context.payload.issue.assignees[0].login; for "issues.closed".
4. in the same file, added condition else if (eventName === 'pull_request_review_comment') {
5. in the same file, revised actionMap to include pull_request_target
6. In post-to-skills-issue.js, added or revised console.log()s
7. in the same file, reordered the functions that a. re-open the issue and b. move the issue to "In progress (actively working)" and wrapped them with a check to see whether the message includes the words "closed" or "assigned"
8. In mutate-issue-status.js, added return true;
9. In the same file, added a catch for the specific error due to an issue being archived
10. In post-issue-comment.js added a return true;

Why did you make the changes (we will use this info to test)?

1. When pull_request_review is the trigger the defined PAT is not available. To prevent the workflow error we need to explicitly define the default token. The odd expression is a simulated ternary operation: the simple github-token = ${{ secrets.HACKFORLA_GRAPHQL_TOKEN || github.token }} evaluates to a Boolean, and does not define which token to use. The expression shown bypasses the strict Boolean and evaluates to github-token = github.token if the PAT is not accessible.
2. For readability
3. The new variable captures both situations, and identifies the primary issue assignee when available.
4. This was previously missing
5. The remaining changes are to ensure that the expected actors are identified
6. The console.log() messages help with debugging
7. The reordering was done so that re-opening the Skills Issue comes first and doesn't proceed to changing the issue status if that fails. The if conditional wrapper is meant to exclude issue closing and issue assigning messages, to prevent conditions where an inactive dev has their issue closed, but the bot posts a message that causes their Skills Issue to reopen
8. The true value is used by post-to-skills-issue.js to post a console.log(), but does not affect other functions that are not expecting any return value
9. Some Skills Issues are archived and are causing errors - this allows the workflow to complete since it is unable to re-open or move an archived issue
10. Same as previously, the true value tells the calling function that the action was successful

CodeQL Alerts

After the PR has been submitted and the resulting GitHub actions/checks have been completed, developers should check the PR for CodeQL alert annotations.

Check the PR's comments. If present on your PR, the CodeQL alert looks similar as shown

Please let us know that you have checked for CodeQL alerts. Please do not dismiss alerts.

• I have checked this PR for CodeQL alerts and none were found.
• I found CodeQL alert(s), and (select one):
  • I have resolved the CodeQL alert(s) as noted
  • I believe the CodeQL alert(s) is a false positive (Merge Team will evaluate)
  • I have followed the Instructions below, but I am still stuck (Merge Team will evaluate)

Instructions for resolving CodeQL alerts

If CodeQL alert/annotations appear, refer to How to Resolve CodeQL alerts.

In general, CodeQL alerts should be resolved prior to PR reviews and merging

Screenshots of Proposed Changes To The Website (if any, please do not include screenshots of code changes)

• No visual changes

Notes to reviewers

• Refer to The "Hack for LA's GitHub Actions" Wiki guide needs additional explanation #6537 (comment), especially Tips 6, 7, and 8, if you have not already created you personal environment for testing.
• How to Test GitHub Actions
• Additional Notes for GitHub Actions

If you are already set up for GHAs, that is have a local Project Board, know about the tokens and labels, etc.:

• Following are some changes for testing. You can make some of the simpler changes to see that the pieces appear to work correctly, but to go "all the way" with the testing (for example, testing Archived issues, trying to force CodeQL to fire, etc.) will be much more involved and might not be needed:

  • Make sure your HACKFORLA_GRAPHQL_TOKEN is active

  • Change the default branch of your repo

  • Change line in activity.trigger.yml to refer to your own repo.

  • Add a Skills Issue in your name to your project and assign it to yourself. Take note of the issue number and add it below.

  • The automation uses GraphQL queries to locate each user's Skills Issue and the bot comment. HfLA's project, status, and field ids are hard-coded in the file github-actions/utils/_data/status-field-ids.js, so you will need to either tell the bot the number of your repo's Skills Issue:

    • In post-to-skills-issue.js, change:

              const isActiveMember = await checkTeamMembership(github, context, eventActor, TEAM);
      

      to:

              // const isActiveMember = await checkTeamMembership(github, context, eventActor, TEAM);
              const isActiveMember = true;
      

    • Change lines 39-44 in post-to-skills-issue.js to:

        // Get eventActor's Skills Issue number, nodeId, current statusId (all null if no Skills Issue found)
        // const skillsInfo = await querySkillsIssue(github, context, username, SKILLS_LABEL);
       const skillsIssueNum = _the number of the skills issue you created_ ;  
       const skillsIssueNodeId = null;
       const skillsStatusId = null;
       const isArchived = false;
      

    • Conversely- this is much more involved and might not be needed- but you could change the values in github-actions/utils/_data/status-field-ids.js to match your repo's values using GitHub Explorer (at least until Nov 1, 2025). Here is how to find that info:
    Extracting Status Field Ids from personal repo

    query findStatusSubfieldId($login: String!, $projNum: Int!, $fieldName: String!) {
      user(login: $login) {
        projectV2(number: $projNum) {
          id
          field(name: $fieldName) { 
            ... on ProjectV2SingleSelectField { 	
              id 
              options { 
                id
                name
              } 
            }
          }
        }
      }
    }  
    
    variables:
    {
      "login":"<your username>",
      "projNum":"<find on projects page>"
      "fieldName": "Status"
    }

    Finding your projNum

    
    Example output from Explorer

    

• After, you should be able to quickly test that a message is being posted to your temporary Skills Issue whenever you open, close, assign, and unassign issues, add a comment, and open and close PRs.

[github-actions]

Want to review this pull request? Take a look at this documentation for a step by step guide!

---

From your project repository, check out a new branch and test the changes.

git checkout -b t-will-gillis-bug-fixes-activity-trigger-edge-8323 gh-pages
git pull https://github.com/t-will-gillis/website.git bug-fixes-activity-trigger-edge-8323

[t-will-gillis]

Hi @santiseccovidal I just made one fix- letting you know so you have the most recent version if you have started testing.

[daras-cu]

@t-will-gillis everything looks good to me, your explanations for the changes are clear and the GHA should function the same other than fixing the bugs in the specified edge cases. I think this is ready to merge.