shishantbiswas/coder
1
0
Fork 0
mirror of https://github.com/coder/coder.git synced 2026-06-04 05:28:20 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
08ffcb74c6bc4d5d269c2d8c9d44de80098a6fa1
coder/.github/workflows/contrib.yaml
T
Ethan ea9e39d87c fix: give cla workflow pull request write permissions (#15820) 
When https://github.com/coder/coder/pull/15349 was added, it implicitly
set all the other permissions to none.

From
https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/controlling-permissions-for-github_token
> If you specify the access for any of these permissions, all of those
that are not specified are set to none.
2024-12-11 15:53:08 +11:00

182 lines
6.5 KiB
YAML
Raw Blame History

name: contrib
on:
issue_comment:
types: [created]
pull_request_target:
types:
- opened
- closed
- synchronize
- labeled
- unlabeled
- opened
- reopened
- edited
# For jobs that don't run on draft PRs.
- ready_for_review
permissions:
contents: read
# Only run one instance per PR to ensure in-order execution.
concurrency: pr-${{ github.ref }}
jobs:
# Dependabot is annoying, but this makes it a bit less so.
auto-approve-dependabot:
runs-on: ubuntu-latest
if: github.event_name == 'pull_request_target'
permissions:
pull-requests: write
steps:
- name: Harden Runner
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
egress-policy: audit
- name: auto-approve dependabot
uses: hmarr/auto-approve-action@f0939ea97e9205ef24d872e76833fa908a770363 # v4.0.0
if: github.actor == 'dependabot[bot]'
cla:
runs-on: ubuntu-latest
permissions:
pull-requests: write
steps:
- name: Harden Runner
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
egress-policy: audit
- name: cla
if: (github.event.comment.body == 'recheck' || github.event.comment.body == 'I have read the CLA Document and I hereby sign the CLA') || github.event_name == 'pull_request_target'
uses: contributor-assistant/github-action@ca4a40a7d1004f18d9960b404b97e5f30a505a08 # v2.6.1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# the below token should have repo scope and must be manually added by you in the repository's secret
PERSONAL_ACCESS_TOKEN: ${{ secrets.CDRCI2_GITHUB_TOKEN }}
with:
remote-organization-name: "coder"
remote-repository-name: "cla"
path-to-signatures: "v2022-09-04/signatures.json"
path-to-document: "https://github.com/coder/cla/blob/main/README.md"
# branch should not be protected
branch: "main"
# Some users have signed a corporate CLA with Coder so are exempt from signing our community one.
allowlist: "coryb,aaronlehmann,dependabot*"
release-labels:
runs-on: ubuntu-latest
# Skip tagging for draft PRs.
if: ${{ github.event_name == 'pull_request_target' && !github.event.pull_request.draft }}
steps:
- name: Harden Runner
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
egress-policy: audit
- name: release-labels
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
with:
# This script ensures PR title and labels are in sync:
#
# When release/breaking label is:
# - Added, rename PR title to include ! (e.g. feat!:)
# - Removed, rename PR title to strip ! (e.g. feat:)
#
# When title is:
# - Renamed (+!), add the release/breaking label
# - Renamed (-!), remove the release/breaking label
script: |
const releaseLabels = {
breaking: "release/breaking",
}
const { action, changes, label, pull_request } = context.payload
const { title } = pull_request
const labels = pull_request.labels.map((label) => label.name)
const isBreakingTitle = isBreaking(title)
// Debug information.
console.log("Action: %s", action)
console.log("Title: %s", title)
console.log("Labels: %s", labels.join(", "))
const params = {
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
}
if (action === "opened" || action === "reopened") {
if (isBreakingTitle && !labels.includes(releaseLabels.breaking)) {
console.log('Add "%s" label', releaseLabels.breaking)
await github.rest.issues.addLabels({
...params,
labels: [releaseLabels.breaking],
})
}
}
if (action === "edited" && changes.title) {
if (isBreakingTitle && !labels.includes(releaseLabels.breaking)) {
console.log('Add "%s" label', releaseLabels.breaking)
await github.rest.issues.addLabels({
...params,
labels: [releaseLabels.breaking],
})
}
if (!isBreakingTitle && labels.includes(releaseLabels.breaking)) {
const wasBreakingTitle = isBreaking(changes.title.from)
if (wasBreakingTitle) {
console.log('Remove "%s" label', releaseLabels.breaking)
await github.rest.issues.removeLabel({
...params,
name: releaseLabels.breaking,
})
} else {
console.log('Rename title from "%s" to "%s"', title, toBreaking(title))
await github.rest.issues.update({
...params,
title: toBreaking(title),
})
}
}
}
if (action === "labeled") {
if (label.name === releaseLabels.breaking && !isBreakingTitle) {
console.log('Rename title from "%s" to "%s"', title, toBreaking(title))
await github.rest.issues.update({
...params,
title: toBreaking(title),
})
}
}
if (action === "unlabeled") {
if (label.name === releaseLabels.breaking && isBreakingTitle) {
console.log('Rename title from "%s" to "%s"', title, fromBreaking(title))
await github.rest.issues.update({
...params,
title: fromBreaking(title),
})
}
}
function isBreaking(t) {
return t.split(" ")[0].endsWith("!:")
}
function toBreaking(t) {
const parts = t.split(" ")
return [parts[0].replace(/:$/, "!:"), ...parts.slice(1)].join(" ")
}
function fromBreaking(t) {
const parts = t.split(" ")
return [parts[0].replace(/!:$/, ":"), ...parts.slice(1)].join(" ")
}
Reference in New Issue View Git Blame Copy Permalink