superdoc/.github/workflows/pr-labels.yml at 0c379b2c4cfee56e21ffce4b2b532d7b7c8b8eb8 · superdoc-dev/superdoc · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
name: PR Labels

on:
  pull_request_target:
    types: [opened, reopened]

permissions:
  contents: read
  pull-requests: write

concurrency:
  group: risk-label-${{ github.event.pull_request.number }}
  cancel-in-progress: true

jobs:
  label:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v6

      - name: Generate app token
        id: app-token
        uses: actions/create-github-app-token@v2
        with:
          app-id: ${{ secrets.APP_ID }}
          private-key: ${{ secrets.APP_PRIVATE_KEY }}

      - name: Get changed files and classify risk
        id: risk
        run: |
          gh pr diff ${{ github.event.pull_request.number }} --name-only \
            | node .github/scripts/risk-label.mjs > /tmp/risk.json
          echo "level=$(node -e "console.log(JSON.parse(require('fs').readFileSync('/tmp/risk.json','utf-8')).level)")" >> $GITHUB_OUTPUT
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

      - name: Apply risk label
        uses: actions/github-script@v7
        with:
          github-token: ${{ steps.app-token.outputs.token }}
          script: |
            const level = '${{ steps.risk.outputs.level }}';

            const LABELS = {
              critical: { name: 'review: thorough', color: 'd73a4a' },
              sensitive: { name: 'review: careful', color: 'fbca04' },
              low: { name: 'review: quick', color: '0e8a16' },
            };

            const prNumber = context.issue.number;
            const owner = context.repo.owner;
            const repo = context.repo.repo;

            // Ensure all risk labels exist
            for (const label of Object.values(LABELS)) {
              try {
                await github.rest.issues.getLabel({ owner, repo, name: label.name });
              } catch {
                try {
                  await github.rest.issues.createLabel({
                    owner,
                    repo,
                    name: label.name,
                    color: label.color,
                  });
                } catch (e) {
                  if (e.status !== 422) throw e;
                }
              }
            }

            // Remove stale risk labels, add current one
            const { data: currentLabels } = await github.rest.issues.listLabelsOnIssue({
              owner,
              repo,
              issue_number: prNumber,
            });

            const riskLabels = currentLabels.filter((l) => l.name.startsWith('review: '));
            for (const label of riskLabels) {
              if (label.name !== LABELS[level].name) {
                await github.rest.issues.removeLabel({
                  owner,
                  repo,
                  issue_number: prNumber,
                  name: label.name,
                });
              }
            }

            const hasCorrectLabel = riskLabels.some((l) => l.name === LABELS[level].name);
            if (!hasCorrectLabel) {
              await github.rest.issues.addLabels({
                owner,
                repo,
                issue_number: prNumber,
                labels: [LABELS[level].name],
              });
            }

      - name: Add community label
        if: >-
          github.event.action == 'opened' &&
          github.event.pull_request.user.type != 'Bot'
        uses: actions/github-script@v7
        with:
          github-token: ${{ steps.app-token.outputs.token }}
          script: |
            const owner = context.repo.owner;
            const repo = context.repo.repo;
            const prNumber = context.issue.number;
            const login = context.payload.pull_request.user.login;

            // Check repo permission (more reliable than author_association
            // which depends on token scope for org membership visibility).
            const { data: perm } = await github.rest.repos.getCollaboratorPermissionLevel({
              owner,
              repo,
              username: login,
            });

            const level = perm.permission;
            if (level === 'admin' || level === 'maintain' || level === 'write') {
              core.info(`Skipping community label — ${login} has ${level} access`);
              return;
            }

            const label = { name: 'community', color: '7057ff' };

            try {
              await github.rest.issues.getLabel({ owner, repo, name: label.name });
            } catch {
              try {
                await github.rest.issues.createLabel({ owner, repo, ...label });
              } catch (e) {
                if (e.status !== 422) throw e;
              }
            }

            await github.rest.issues.addLabels({
              owner,
              repo,
              issue_number: prNumber,
              labels: [label.name],
            });