Skip to content

NO-JIRA: chore(gha): add workflow to label PRs with "review-requested" on creation #1768

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Aug 11, 2025
+25 −0
Merged

NO-JIRA: chore(gha): add workflow to label PRs with "review-requested" on creation #1768

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
25 changes: 25 additions & 0 deletions .github/workflows/notify-team-to-review-pr.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
---
name: Add Review Requested Label
on: # yamllint disable-line rule:truthy
pull_request:
types: [opened]

Comment on lines +3 to +6
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Verification agent

🧩 Analysis chain

Fork support: consider pull_request_target or skip forks.

With pull_request, PRs from forks get a read-only token and labeling will fail (“Resource not accessible by integration”). Two safe options:

  • Switch to pull_request_target (no checkout of fork code here, so safe), or
  • Keep pull_request and skip forks to avoid failures.

Example diffs:

Option A (preferred for labeling forks):

-on:
-  pull_request:
-    types: [opened]
+on:
+  pull_request_target:
+    types: [opened]

Option B (skip forks cleanly):

 jobs:
   add-label:
-    if: contains(github.event.pull_request.labels.*.name, 'konflux-nudge') == false
+    if: github.event.pull_request.head.repo.fork == false &&
+        contains(github.event.pull_request.labels.*.name, 'konflux-nudge') == false

🏁 Script executed:

#!/bin/bash
set -e
echo "=== Workflow File Preview (.github/workflows/notify-team-to-review-pr.yml) ==="
sed -n '1,200p' .github/workflows/notify-team-to-review-pr.yml || true

echo ""
echo "=== Searching for 'label' occurrences in the workflow ==="
grep -R "label" -n .github/workflows/notify-team-to-review-pr.yml || true

Length of output: 1331

Ensure forked PRs can be labeled

Your workflow currently triggers on pull_request, which provides a read-only GITHUB_TOKEN for forked PRs—causing the addLabels call to fail. You can fix this by either:

• Switching the trigger to pull_request_target (preferred), since it runs in the base repo with write permissions.
• Or keeping pull_request and guarding the job to run only on non-forks.

Locations to update:

  • .github/workflows/notify-team-to-review-pr.yml – change the on: block or the job’s if: condition as shown below.

Option A (preferred – write token on forks):

-on:
-  pull_request:
-    types: [opened]
+on:
+  pull_request_target:
+    types: [opened]

Option B (skip forks):

 jobs:
   add-label:
-    if: contains(github.event.pull_request.labels.*.name, 'konflux-nudge') == false
+    if: github.event.pull_request.head.repo.fork == false &&
+        contains(github.event.pull_request.labels.*.name, 'konflux-nudge') == false
🤖 Prompt for AI Agents 
In .github/workflows/notify-team-to-review-pr.yml around lines 3 to 6, the
workflow triggers on pull_request which provides a read-only GITHUB_TOKEN for
forked PRs, causing label addition to fail. Fix this by changing the trigger
from pull_request to pull_request_target to run with write permissions on the
base repo, or alternatively, keep pull_request but add a job-level condition to
skip runs on forked PRs. Update the on: block or add an if: condition
accordingly to ensure the workflow can label forked PRs.

permissions:
pull-requests: write

jobs:
add-label:
if: contains(github.event.pull_request.labels.*.name, 'konflux-nudge') == false
runs-on: ubuntu-latest
Comment on lines +12 to +13
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion

Add a second guard to avoid mislabeling konflux PRs.

Relying solely on the presence of the konflux-nudge label at “opened” can race if that label isn’t present yet. Add an author guard too:

-    if: contains(github.event.pull_request.labels.*.name, 'konflux-nudge') == false
+    if: github.actor != 'red-hat-konflux' &&
+        !contains(github.event.pull_request.labels.*.name, 'konflux-nudge')

Also simplified == false to !….

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
if: contains(github.event.pull_request.labels.*.name, 'konflux-nudge') == false
runs-on: ubuntu-latest
if: github.actor != 'red-hat-konflux' &&
!contains(github.event.pull_request.labels.*.name, 'konflux-nudge')
runs-on: ubuntu-latest
🤖 Prompt for AI Agents 
In .github/workflows/notify-team-to-review-pr.yml at lines 12-13, the condition
only checks if the 'konflux-nudge' label is absent, which can cause race
conditions. Add an additional guard to check the PR author to avoid mislabeling
konflux PRs. Also, simplify the condition by replacing '== false' with a
negation operator '!'. Update the if condition to combine both checks properly.

steps:
- name: Add review-requested label
uses: actions/github-script@v7
with:
# language=javascript
script: |
await github.rest.issues.addLabels({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: context.payload.pull_request.number,
labels: ['review-requested']
});
Loading