On PR merge #8128
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: On PR merge | |
# PROCESS | |
# | |
# 1. Fetch PR details previously saved from untrusted location | |
# 2. Parse details for safety | |
# 3. Add `pending-release` label for related issue | |
# 4. Make a comment in PR if related issue is invalid or can't be labeled | |
# USAGE | |
# | |
# NOTE: meant to be used with ./.github/workflows/record_pr.yml | |
# | |
# Security Note: | |
# | |
# This workflow depends on "Record PR" workflow that runs in an untrusted location (forks) instead of `pull_request_target`. | |
# This enforces zero trust where "Record PR" workflow always runs on fork with zero permissions on GH_TOKEN. | |
# When "Record PR" completes, this workflow runs in our repository with the appropriate permissions and sanitize inputs. | |
# | |
# Coupled with "Approve GitHub Action to run on forks", we have confidence no privilege can be escalated, | |
# since any malicious change would need to be approved, and upon social engineering, it'll have zero permissions. | |
on: | |
workflow_run: | |
workflows: ["Record PR details"] | |
types: | |
- completed | |
permissions: | |
contents: read | |
jobs: | |
get_pr_details: | |
if: github.event.workflow_run.event == 'pull_request' && github.event.workflow_run.conclusion == 'success' | |
permissions: | |
actions: read # download PR artifact | |
contents: read # checkout code | |
uses: ./.github/workflows/reusable_export_pr_details.yml | |
with: | |
record_pr_workflow_id: ${{ github.event.workflow_run.id }} | |
workflow_origin: ${{ github.event.repository.full_name }} | |
secrets: | |
token: ${{ secrets.GITHUB_TOKEN }} | |
release_label_on_merge: | |
needs: get_pr_details | |
runs-on: ubuntu-latest | |
permissions: | |
pull-requests: write # make a comment in PR if unable to find related issue | |
issues: write # label issue with pending-release | |
if: needs.get_pr_details.outputs.prIsMerged == 'true' | |
steps: | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- name: "Label PR related issue for release" | |
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 | |
env: | |
PR_NUMBER: ${{ needs.get_pr_details.outputs.prNumber }} | |
PR_BODY: ${{ needs.get_pr_details.outputs.prBody }} | |
PR_IS_MERGED: ${{ needs.get_pr_details.outputs.prIsMerged }} | |
PR_AUTHOR: ${{ needs.get_pr_details.outputs.prAuthor }} | |
with: | |
github-token: ${{ secrets.GITHUB_TOKEN }} | |
script: | | |
const script = require('.github/scripts/label_related_issue.js') | |
await script({github, context, core}) |