fix: prevent focus stealing from external contenteditable editors #1502

Workflow file for this run

.github/workflows/pr-labels.yml at 377fa9a

	name: PR Labels

	on:
	pull_request_target:
	types: [opened, reopened]

	permissions:
	contents: read
	pull-requests: write

	concurrency:
	group: risk-label-${{ github.event.pull_request.number }}
	cancel-in-progress: true

	jobs:
	label:
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@v6

	- name: Generate app token
	id: app-token
	uses: actions/create-github-app-token@v2
	with:
	app-id: ${{ secrets.APP_ID }}
	private-key: ${{ secrets.APP_PRIVATE_KEY }}

	- name: Get changed files and classify risk
	id: risk
	run: \|
	gh pr diff ${{ github.event.pull_request.number }} --name-only \
	\| node .github/scripts/risk-label.mjs > /tmp/risk.json
	echo "level=$(node -e "console.log(JSON.parse(require('fs').readFileSync('/tmp/risk.json','utf-8')).level)")" >> $GITHUB_OUTPUT
	env:
	GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

	- name: Apply risk label
	uses: actions/github-script@v7
	with:
	github-token: ${{ steps.app-token.outputs.token }}
	script: \|
	const level = '${{ steps.risk.outputs.level }}';

	const LABELS = {
	critical: { name: 'review: thorough', color: 'd73a4a' },
	sensitive: { name: 'review: careful', color: 'fbca04' },
	low: { name: 'review: quick', color: '0e8a16' },
	};

	const prNumber = context.issue.number;
	const owner = context.repo.owner;
	const repo = context.repo.repo;

	// Ensure all risk labels exist
	for (const label of Object.values(LABELS)) {
	try {
	await github.rest.issues.getLabel({ owner, repo, name: label.name });
	} catch {
	try {
	await github.rest.issues.createLabel({
	owner,
	repo,
	name: label.name,
	color: label.color,
	});
	} catch (e) {
	if (e.status !== 422) throw e;
	}
	}
	}

	// Remove stale risk labels, add current one
	const { data: currentLabels } = await github.rest.issues.listLabelsOnIssue({
	owner,
	repo,
	issue_number: prNumber,
	});

	const riskLabels = currentLabels.filter((l) => l.name.startsWith('review: '));
	for (const label of riskLabels) {
	if (label.name !== LABELS[level].name) {
	await github.rest.issues.removeLabel({
	owner,
	repo,
	issue_number: prNumber,
	name: label.name,
	});
	}
	}

	const hasCorrectLabel = riskLabels.some((l) => l.name === LABELS[level].name);
	if (!hasCorrectLabel) {
	await github.rest.issues.addLabels({
	owner,
	repo,
	issue_number: prNumber,
	labels: [LABELS[level].name],
	});
	}

	- name: Add community label
	if: >-
	github.event.action == 'opened' &&
	github.event.pull_request.user.type != 'Bot'
	uses: actions/github-script@v7
	with:
	github-token: ${{ steps.app-token.outputs.token }}
	script: \|
	const owner = context.repo.owner;
	const repo = context.repo.repo;
	const prNumber = context.issue.number;
	const login = context.payload.pull_request.user.login;

	// Check repo permission (more reliable than author_association
	// which depends on token scope for org membership visibility).
	const { data: perm } = await github.rest.repos.getCollaboratorPermissionLevel({
	owner,
	repo,
	username: login,
	});

	const level = perm.permission;
	if (level === 'admin' \|\| level === 'maintain' \|\| level === 'write') {
	core.info(`Skipping community label — ${login} has ${level} access`);
	return;
	}

	const label = { name: 'community', color: '7057ff' };

	try {
	await github.rest.issues.getLabel({ owner, repo, name: label.name });
	} catch {
	try {
	await github.rest.issues.createLabel({ owner, repo, ...label });
	} catch (e) {
	if (e.status !== 422) throw e;
	}
	}

	await github.rest.issues.addLabels({
	owner,
	repo,
	issue_number: prNumber,
	labels: [label.name],
	});

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix: prevent focus stealing from external contenteditable editors #1502

Workflow file

fix: prevent focus stealing from external contenteditable editors #1502

Uh oh!

Workflow file for this run