Skip to content
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 20 additions & 0 deletions .github/workflows/label-pr-review-state.yml
Original file line number Diff line number Diff line change
Expand Up @@ -43,9 +43,29 @@ jobs:
});
}

// Only a `pull_request`/`pull_request_review` run that was itself triggered
// FROM a fork gets a read-only GITHUB_TOKEN — label mutations there 403 with
// "Resource not accessible by integration". `schedule` and `workflow_dispatch`
// runs always execute in the base repo's context with a read/write token, even
// when the PR they're reconciling happens to come from a fork, so they must NOT
// be skipped or fork PRs would never get stale labels cleaned up.
// See: https://docs.github.com/en/actions/concepts/security/github_token
const isReadOnlyRun = Boolean(context.payload.pull_request) &&
context.payload.pull_request.head?.repo?.owner?.login !== owner;

function isForkPR(pr) {
return pr.head?.repo?.owner?.login && pr.head.repo.owner.login !== owner;
}

// Strips stateLabels from a PR, optionally keeping one.
// Also removes stale-awaiting-author when not keeping awaiting-author.
// Only skipped when this run's own token is read-only (see isReadOnlyRun) —
// schedule/workflow_dispatch runs reconcile fork PRs normally.
async function reconcileLabels(pr, desiredLabel) {
if (isReadOnlyRun && isForkPR(pr)) {
core.info(`PR #${pr.number}: fork PR on a read-only run — skipping label mutation`);
return;
}
const currentLabels = new Set(pr.labels.map(l => l.name));
for (const label of stateLabels) {
if (label !== desiredLabel && currentLabels.has(label)) {
Expand Down
Loading