Label PR based on title #17269
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Label PR based on title | |
# PROCESS | |
# | |
# 1. Fetch PR details previously saved from untrusted location | |
# 2. Parse details for safety | |
# 3. Label PR based on semantic title (e.g., area, change type) | |
# USAGE | |
# | |
# NOTE: meant to be used with ./.github/workflows/record_pr.yml | |
# | |
# Security Note: | |
# | |
# This workflow depends on "Record PR" workflow that runs in an untrusted location (forks) instead of `pull_request_target`. | |
# This enforces zero trust where "Record PR" workflow always runs on fork with zero permissions on GH_TOKEN. | |
# When "Record PR" completes, this workflow runs in our repository with the appropriate permissions and sanitize inputs. | |
# | |
# Coupled with "Approve GitHub Action to run on forks", we have confidence no privilege can be escalated, | |
# since any malicious change would need to be approved, and upon social engineering, it'll have zero permissions. | |
on: | |
workflow_run: | |
workflows: ["Record PR details"] | |
types: | |
- completed | |
permissions: | |
contents: read | |
jobs: | |
get_pr_details: | |
permissions: | |
actions: read # download PR artifact | |
contents: read # checkout code | |
# Guardrails to only ever run if PR recording workflow was indeed | |
# run in a PR event and ran successfully | |
if: ${{ github.event.workflow_run.conclusion == 'success' }} | |
uses: ./.github/workflows/reusable_export_pr_details.yml | |
with: | |
record_pr_workflow_id: ${{ github.event.workflow_run.id }} | |
workflow_origin: ${{ github.event.repository.full_name }} | |
secrets: | |
token: ${{ secrets.GITHUB_TOKEN }} | |
label_pr: | |
needs: get_pr_details | |
runs-on: ubuntu-latest | |
permissions: | |
pull-requests: write # label respective PR | |
steps: | |
- name: Checkout repository | |
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 | |
- name: "Label PR based on title" | |
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 | |
env: | |
PR_NUMBER: ${{ needs.get_pr_details.outputs.prNumber }} | |
PR_TITLE: ${{ needs.get_pr_details.outputs.prTitle }} | |
PR_LABELS: ${{ needs.get_pr_details.outputs.prLabels }} | |
with: | |
github-token: ${{ secrets.GITHUB_TOKEN }} | |
# This safely runs in our base repo, not on fork | |
# thus allowing us to provide a write access token to label based on PR title | |
# and label PR based on semantic title accordingly | |
script: | | |
const script = require('.github/scripts/label_pr_based_on_title.js') | |
await script({github, context, core}) |