From b887e5ee01e285fef578b300b7caacc813cf6592 Mon Sep 17 00:00:00 2001 From: "mergify[bot]" <37929162+mergify[bot]@users.noreply.github.com> Date: Mon, 4 May 2026 15:23:15 +0800 Subject: [PATCH] ci: replace pull_request_target with two-step workflows (backport #841) (#854) * ci: replace pull_request_target with two-step workflows (#841) * ci: update PR auto assign workflows Signed-off-by: Andy Lee * ci: update backport label workflow Signed-off-by: Andy Lee * ci: update backport PR via mergify workflow Signed-off-by: Andy Lee * ci: update add PR label workflow Signed-off-by: Andy Lee * refactor: file name Signed-off-by: Andy Lee * refactor: limit auto-assign-check for target branches Signed-off-by: Andy Lee --------- Signed-off-by: Andy Lee (cherry picked from commit 1a92265d039357ad0c1ae3641c6a9aa32a3ab146) * ci: remove brackets in PR Management Signed-off-by: Andy Lee --------- Signed-off-by: Andy Lee Co-authored-by: Andy Lee --- .github/auto-assign-config.yaml | 6 -- .github/workflows/add-pr-label-check.yaml | 39 ++++++++ .github/workflows/add-pr-label.yaml | 33 +++++++ .github/workflows/auto-assign-check.yaml | 28 ++++++ .github/workflows/auto-assign-reviewer.yaml | 17 ---- .github/workflows/auto-assign.yaml | 35 +++++++ .github/workflows/backport-label-check.yaml | 30 ++++++ .github/workflows/backport-label.yaml | 99 +++++++++---------- .github/workflows/backport-request-check.yaml | 28 ++++++ .github/workflows/backport-request.yaml | 38 ++++--- .github/workflows/release-label.yaml | 30 ------ 11 files changed, 259 insertions(+), 124 deletions(-) delete mode 100644 .github/auto-assign-config.yaml create mode 100644 .github/workflows/add-pr-label-check.yaml create mode 100644 .github/workflows/add-pr-label.yaml create mode 100644 .github/workflows/auto-assign-check.yaml delete mode 100644 .github/workflows/auto-assign-reviewer.yaml create mode 100644 .github/workflows/auto-assign.yaml create mode 100644 .github/workflows/backport-label-check.yaml create mode 100644 .github/workflows/backport-request-check.yaml delete mode 100644 .github/workflows/release-label.yaml diff --git a/.github/auto-assign-config.yaml b/.github/auto-assign-config.yaml deleted file mode 100644 index b4f7b33f..00000000 --- a/.github/auto-assign-config.yaml +++ /dev/null @@ -1,6 +0,0 @@ -addAssignees: author -addReviewers: true -numberOfReviewers: 0 -reviewers: -- a110605 -- houhoucoop \ No newline at end of file diff --git a/.github/workflows/add-pr-label-check.yaml b/.github/workflows/add-pr-label-check.yaml new file mode 100644 index 00000000..1aba9403 --- /dev/null +++ b/.github/workflows/add-pr-label-check.yaml @@ -0,0 +1,39 @@ +name: "PR Management Add PR Label Collect Data" + +on: + pull_request: + types: [opened, reopened, edited] + branches: + - main + - 'release-harvester-v*' + +jobs: + collect: + if: github.event.pull_request.draft == false + runs-on: ubuntu-latest + permissions: + contents: read + actions: write + steps: + - name: Checkout repository + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + ref: ${{ github.base_ref }} + + - name: Setup Nodejs and yarn install + uses: ./.github/actions/setup + + - name: Extract PR label + run: | + PR_LABEL=$(node ./scripts/extract-release-label.mjs "${{ github.event.pull_request.title }}") + echo "PR_LABEL=$PR_LABEL" + { + echo "PR_NUMBER=${{ github.event.pull_request.number }}" + echo "PR_LABEL=$PR_LABEL" + } > pr-add-label-data.env + + - name: Upload PR data artifact + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 + with: + name: pr-add-label-data + path: pr-add-label-data.env diff --git a/.github/workflows/add-pr-label.yaml b/.github/workflows/add-pr-label.yaml new file mode 100644 index 00000000..e92b994b --- /dev/null +++ b/.github/workflows/add-pr-label.yaml @@ -0,0 +1,33 @@ +name: "PR Management Add PR Label" + +on: + workflow_run: + workflows: + - "PR Management Add PR Label Collect Data" + types: [completed] + +jobs: + auto-assign-pr-label: + runs-on: ubuntu-latest + if: ${{ github.event.workflow_run.conclusion == 'success' }} + permissions: + actions: read + pull-requests: write + steps: + - name: Download PR data artifact + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 + with: + name: pr-add-label-data + run-id: ${{ github.event.workflow_run.id }} + github-token: ${{ github.token }} + + - name: Load PR data + run: | + cat pr-add-label-data.env >> $GITHUB_ENV + + - name: Set PR label + env: + GH_TOKEN: ${{ github.token }} + run: | + echo "PR_LABEL = $PR_LABEL" + gh pr edit "$PR_NUMBER" --repo "${{ github.repository }}" --add-label "$PR_LABEL" diff --git a/.github/workflows/auto-assign-check.yaml b/.github/workflows/auto-assign-check.yaml new file mode 100644 index 00000000..3409109c --- /dev/null +++ b/.github/workflows/auto-assign-check.yaml @@ -0,0 +1,28 @@ +name: "PR Management Auto Assign Collect Data" + +on: + pull_request: + types: [opened, ready_for_review] + branches: + - main + - 'release-harvester-v*' + +jobs: + collect: + runs-on: ubuntu-latest + permissions: + contents: read + actions: write + steps: + - name: Save PR data to artifact + run: | + { + echo "PR_NUMBER=${{ github.event.pull_request.number }}" + echo "PR_AUTHOR=${{ github.event.pull_request.user.login }}" + } > pr-auto-assign-data.env + + - name: Upload PR data artifact + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 + with: + name: pr-auto-assign-data + path: pr-auto-assign-data.env \ No newline at end of file diff --git a/.github/workflows/auto-assign-reviewer.yaml b/.github/workflows/auto-assign-reviewer.yaml deleted file mode 100644 index b998e2c3..00000000 --- a/.github/workflows/auto-assign-reviewer.yaml +++ /dev/null @@ -1,17 +0,0 @@ -name: "[PR Management] Auto Assign Reviewer & Assignee" - -on: - pull_request_target: - types: [opened, ready_for_review] - -permissions: - pull-requests: write - -jobs: - auto-assign: - if: github.event.pull_request.draft == false - runs-on: ubuntu-latest - steps: - - uses: rancher/gh-issue-mgr/auto-assign-action@b70f0bdf12a03e5e3f33e4f92ccb6c89deb3ebd9 # main - with: - configuration-path: .github/auto-assign-config.yaml diff --git a/.github/workflows/auto-assign.yaml b/.github/workflows/auto-assign.yaml new file mode 100644 index 00000000..e55271c5 --- /dev/null +++ b/.github/workflows/auto-assign.yaml @@ -0,0 +1,35 @@ +name: "PR Management Auto Assign" + +on: + workflow_run: + workflows: + - "PR Management Auto Assign Collect Data" + types: [completed] + +jobs: + auto-assign: + runs-on: ubuntu-latest + if: ${{ github.event.workflow_run.conclusion == 'success' }} + env: + REVIEWERS: "a110605,houhoucoop" + permissions: + actions: read + pull-requests: write + steps: + - name: Download PR data artifact + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 + with: + name: pr-auto-assign-data + run-id: ${{ github.event.workflow_run.id }} + github-token: ${{ github.token }} + + - name: Load PR data + run: | + cat pr-auto-assign-data.env >> $GITHUB_ENV + + - name: Auto assign PR author + env: + GH_TOKEN: ${{ github.token }} + run: | + echo "Assigning PR author: $PR_AUTHOR" + gh pr edit "$PR_NUMBER" --repo "${{ github.repository }}" --add-assignee "$PR_AUTHOR" --add-reviewer "$REVIEWERS" \ No newline at end of file diff --git a/.github/workflows/backport-label-check.yaml b/.github/workflows/backport-label-check.yaml new file mode 100644 index 00000000..61d61b99 --- /dev/null +++ b/.github/workflows/backport-label-check.yaml @@ -0,0 +1,30 @@ +name: "PR Management Add Labels Collect Data" + +on: + pull_request: + types: [opened, reopened] + branches: + - main + - 'release-harvester-v*' + +jobs: + collect: + if: github.event.pull_request.draft == false + runs-on: ubuntu-latest + permissions: + contents: read + actions: write + steps: + - name: Save PR data to artifact + run: | + { + echo "PR_NUMBER=${{ github.event.pull_request.number }}" + echo "PR_BASE_REF=${{ github.event.pull_request.base.ref }}" + echo "PR_USER_LOGIN=${{ github.event.pull_request.user.login }}" + } > pr-backport-label-data.env + + - name: Upload PR data artifact + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 + with: + name: pr-backport-label-data + path: pr-backport-label-data.env diff --git a/.github/workflows/backport-label.yaml b/.github/workflows/backport-label.yaml index 8ef584da..281cd23a 100644 --- a/.github/workflows/backport-label.yaml +++ b/.github/workflows/backport-label.yaml @@ -1,40 +1,44 @@ -name: "[PR Management] Add Labels" +name: "PR Management Add Backport Labels" on: - pull_request_target: - types: [opened, reopened] - branches: - - main - - 'release-harvester-v*' - -permissions: - pull-requests: write + workflow_run: + workflows: + - "PR Management Add Labels Collect Data" + types: [completed] jobs: add-require-backport-label: - if: github.event.pull_request.draft == false && - github.event.pull_request.base.ref == 'main' runs-on: ubuntu-latest + if: ${{ github.event.workflow_run.conclusion == 'success' }} + permissions: + actions: read + pull-requests: write steps: - - name: Checkout repository - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + - name: Download PR data artifact + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 with: - ref: ${{ github.base_ref }} + name: pr-backport-label-data + run-id: ${{ github.event.workflow_run.id }} + github-token: ${{ github.token }} - - name: Fetch release branches and PR labels - id: fetch_info + - name: Load PR data + run: | + cat pr-backport-label-data.env >> $GITHUB_ENV + + - name: Add require-backport label (main branch PRs) + if: env.PR_BASE_REF == 'main' env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GH_TOKEN: ${{ github.token }} run: | set -euo pipefail repo="${{ github.repository }}" - pr_number=${{ github.event.pull_request.number }} + pr_number="$PR_NUMBER" release_branches=$(gh api "repos/${repo}/branches" --paginate --jq '.[].name' | grep -E '^release-harvester-v[0-9]+\.[0-9]+$' || true) if [[ -z "$release_branches" ]]; then - echo "should_label=false" >> "$GITHUB_OUTPUT" + echo "No release branches found, skipping." exit 0 fi @@ -44,51 +48,36 @@ jobs: tags=$(gh api "repos/${repo}/releases" --paginate --jq '.[].tag_name') if echo "$tags" | grep -Fxq "$release_tag"; then - echo "should_label=false" >> "$GITHUB_OUTPUT" + echo "Release $release_tag already published, skipping." exit 0 fi label="require backport/v${version}" - echo "should_label=true" >> "$GITHUB_OUTPUT" - echo "backport_label=$label" >> "$GITHUB_OUTPUT" - pr_labels=$(gh pr view "$pr_number" --repo "$repo" --json labels --jq '.labels[].name' || echo "") - pr_labels_csv=$(echo "$pr_labels" | tr '\n' ',' | sed 's/,$//') - echo "pr_labels=$pr_labels_csv" >> "$GITHUB_OUTPUT" - - name: Add label if needed - if: steps.fetch_info.outputs.should_label == 'true' && !contains(steps.fetch_info.outputs.pr_labels, steps.fetch_info.outputs.backport_label) + if echo "$pr_labels" | grep -Fxq "$label"; then + echo "Label '$label' already present, skipping." + exit 0 + fi + + echo "Adding label: $label" + gh pr edit "$pr_number" --repo "$repo" --add-label "$label" + + - name: Add backport label (release branch PRs opened by Mergify) + if: startsWith(env.PR_BASE_REF, 'release-harvester-v') env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GH_TOKEN: ${{ github.token }} run: | - echo "Adding label: ${{ steps.fetch_info.outputs.backport_label }}" - gh pr edit ${{ github.event.pull_request.number }} \ - --repo ${{ github.repository }} \ - --add-label "${{ steps.fetch_info.outputs.backport_label }}" + set -euo pipefail - add-backport-label: - if: github.event.pull_request.draft == false && - startsWith(github.event.pull_request.base.ref, 'release-harvester-v') - runs-on: ubuntu-latest - steps: - - name: Check conditions for backport label - id: check - run: | - IS_MERGIFY=$(echo '${{ github.event.pull_request.user.login }}' | grep -iq 'mergify' && echo true || echo false) - TARGET_BRANCH=${{ github.event.pull_request.base.ref }} + IS_MERGIFY=$(echo "$PR_USER_LOGIN" | grep -iq 'mergify' && echo true || echo false) - echo "IS_MERGIFY=$IS_MERGIFY" >> $GITHUB_OUTPUT - echo "TARGET_BRANCH=$TARGET_BRANCH" >> $GITHUB_OUTPUT + if [[ "$IS_MERGIFY" != "true" ]]; then + echo "PR author is not Mergify, skipping." + exit 0 + fi - - name: Add label if needed - if: steps.check.outputs.IS_MERGIFY == 'true' && startsWith(steps.check.outputs.TARGET_BRANCH, 'release-harvester-v') - env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - run: | - TARGET_BRANCH="${{ steps.check.outputs.TARGET_BRANCH }}" - version="${TARGET_BRANCH#release-harvester-v}" + version="${PR_BASE_REF#release-harvester-v}" label="backport/v${version}" - echo "Adding label $label" - gh pr edit ${{ github.event.pull_request.number }} \ - --repo ${{ github.repository }} \ - --add-label "$label" + echo "Adding label: $label" + gh pr edit "$PR_NUMBER" --repo "${{ github.repository }}" --add-label "$label" diff --git a/.github/workflows/backport-request-check.yaml b/.github/workflows/backport-request-check.yaml new file mode 100644 index 00000000..cb38fe91 --- /dev/null +++ b/.github/workflows/backport-request-check.yaml @@ -0,0 +1,28 @@ +name: "PR Management Request Backport via Mergify Collect Data" + +on: + pull_request: + types: [closed] + branches: [main] + +jobs: + collect: + if: github.event.pull_request.merged == true + runs-on: ubuntu-latest + permissions: + contents: read + actions: write + steps: + - name: Save PR data to artifact + run: | + labels_json='${{ toJson(github.event.pull_request.labels.*.name) }}' + { + echo "PR_NUMBER=${{ github.event.pull_request.number }}" + echo "PR_LABELS=$(echo "$labels_json" | jq -r '[.[]] | join(",")')" + } > pr-backport-request-data.env + + - name: Upload PR data artifact + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 + with: + name: pr-backport-request-data + path: pr-backport-request-data.env diff --git a/.github/workflows/backport-request.yaml b/.github/workflows/backport-request.yaml index 5b4ee7da..73ed654a 100644 --- a/.github/workflows/backport-request.yaml +++ b/.github/workflows/backport-request.yaml @@ -1,41 +1,47 @@ -name: "[PR Management] Request Backport via Mergify" +name: "PR Management Request Backport via Mergify" on: - pull_request_target: - types: [closed] - branches: [main] - -permissions: - pull-requests: write + workflow_run: + workflows: + - "PR Management Request Backport via Mergify Collect Data" + types: [completed] jobs: comment-backport: - if: github.event.pull_request.merged == true runs-on: ubuntu-latest + if: ${{ github.event.workflow_run.conclusion == 'success' }} + permissions: + actions: read + pull-requests: write steps: - - name: Checkout repository - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + - name: Download PR data artifact + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 with: - ref: ${{ github.base_ref }} + name: pr-backport-request-data + run-id: ${{ github.event.workflow_run.id }} + github-token: ${{ github.token }} + + - name: Load PR data + run: | + cat pr-backport-request-data.env >> $GITHUB_ENV - name: Post Mergify backport command env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GH_TOKEN: ${{ github.token }} run: | set -euo pipefail - pr_number=${{ github.event.pull_request.number }} + pr_number="$PR_NUMBER" repo="${{ github.repository }}" - labels_json='${{ toJson(github.event.pull_request.labels.*.name) }}' - labels=$(echo "$labels_json" | jq -r '.[] // empty') + labels=$(echo "$PR_LABELS" | tr ',' '\n') echo "Labels on PR: $labels" matches=$(echo "$labels" | grep -oE '^require backport/v[0-9]+\.[0-9]+$' || true) if [[ -z "$matches" ]]; then - echo "No back‑port labels found — skipping." + echo "No back-port labels found — skipping." exit 0 fi diff --git a/.github/workflows/release-label.yaml b/.github/workflows/release-label.yaml deleted file mode 100644 index 5c600b48..00000000 --- a/.github/workflows/release-label.yaml +++ /dev/null @@ -1,30 +0,0 @@ -name: "[PR Management] Add PR Label" - -on: - pull_request_target: - types: [opened, reopened, edited] - branches: - - main - - 'release-harvester-v*' - -permissions: - pull-requests: write - -jobs: - auto-assign-pr-label: - if: github.event.pull_request.draft == false - runs-on: ubuntu-latest - steps: - - name: Checkout repository - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - with: - ref: ${{ github.base_ref }} - - name: Setup Nodejs and yarn install - uses: ./.github/actions/setup - - name: Set PR label - env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - run: | - PR_LABEL=$(node ./scripts/extract-release-label.mjs "${{ github.event.pull_request.title }}") - echo "PR_LABEL = $PR_LABEL" - gh pr edit ${{ github.event.pull_request.number }} --repo ${{ github.repository }} --add-label "$PR_LABEL"