commit 8efd9e3a86285b7268b2ea85ba016588ed3bf3c5
parent e0033a874c8dffa26d02f177f0ceb6777b6014be
Author: Olivier Mehani <omehani@mozilla.com>
Date: Mon, 22 Dec 2025 21:11:35 +0000
Bug 2001552, Bug 1996664 - pr-handler: Add Lando link to allowed PRs r=zeid,suhaib DOT_GITHUB_OVERRIDE
Differential Revision: https://phabricator.services.mozilla.com/D275169
Diffstat:
2 files changed, 82 insertions(+), 61 deletions(-)
diff --git a/.github/workflows/close-pr.yml b/.github/workflows/close-pr.yml
@@ -1,61 +0,0 @@
-name: Close Pull Request
-on:
- # WARNING: pull_request_target MUST NOT be used if running code under control
- # of the source PR [0], as it could risk leaking the GH_TOKENs.
- #
- # In this case, we do it as the job needs to run within the context of the
- # target repo, so it can get a GH_TOKEN which it can use to comment on and
- # update the PR.
- #
- # Crucially, no external code is loaded or run as part of this workflow.
- #
- # [0] https://docs.github.com/en/actions/reference/workflows-and-actions/events-that-trigger-workflows#pull_request_target:~:text=Warning-,Running,websitehttps://docs.github.com/en/actions/reference/workflows-and-actions/events-that-trigger-workflows#pull_request_target:~:text=Warning-,Running,website
- #
- pull_request_target:
- types: [opened, reopened]
-
-
-env:
- ALLOWED_TEAM: lando-github-pilot
- ALLOWED_PATHS: |
- mobile/android/android-components
- mobile/android/fenix
- mobile/android/focus-android
-
- GH_REPO: ${{ github.repository }}
- PR: ${{ github.event.pull_request.number }}
-
- GH_TOKEN: ${{ github.token }}
-
-jobs:
- close-pr:
- runs-on: ubuntu-latest
- steps:
- - name: Check team membership
- id: team
- env:
- AUTHOR: ${{ github.actor }}
- GH_ORG: ${{ github.repository_owner }}
- run: |
- if gh api "/orgs/${GH_ORG}/teams/${ALLOWED_TEAM}/memberships/${AUTHOR}" --silent 2>/dev/null; then
- echo "is_member=true" >> $GITHUB_OUTPUT
- else
- echo "is_member=false" >> $GITHUB_OUTPUT
- fi
-
- - name: Check allowed paths
- id: paths
- if: steps.team.outputs.is_member == 'true'
- run: |
- PATTERN=$(echo "${ALLOWED_PATHS}" | xargs | tr ' ' '|')
- if gh pr view "${PR}" --json files --jq '.files[].path' | grep -vE "^(${PATTERN})"; then
- echo "only_allowed=false" >> $GITHUB_OUTPUT
- else
- echo "only_allowed=true" >> $GITHUB_OUTPUT
- fi
-
- - name: Close PR
- if: steps.team.outputs.is_member != 'true' || steps.paths.outputs.only_allowed != 'true'
- run: |
- gh pr close "${PR}" --comment "(Automated Close) Please do not file pull requests here, see https://firefox-source-docs.mozilla.org/contributing/how_to_submit_a_patch.html"
- gh pr lock "${PR}"
diff --git a/.github/workflows/pr-handler.yml b/.github/workflows/pr-handler.yml
@@ -0,0 +1,82 @@
+name: Handle Pull Request
+on:
+ # WARNING: pull_request_target MUST NOT be used if running code under control
+ # of the source PR [0], as it could risk leaking the GH_TOKENs.
+ #
+ # In this case, we do it as the job needs to run within the context of the
+ # target repo, so it can get a GH_TOKEN which it can use to comment on and
+ # update the PR.
+ #
+ # Crucially, no external code is loaded or run as part of this workflow.
+ #
+ # [0] https://docs.github.com/en/actions/reference/workflows-and-actions/events-that-trigger-workflows#pull_request_target:~:text=Warning-,Running,websitehttps://docs.github.com/en/actions/reference/workflows-and-actions/events-that-trigger-workflows#pull_request_target:~:text=Warning-,Running,website
+ #
+ pull_request_target:
+ types: [opened, reopened]
+
+
+env:
+ ALLOWED_TEAM: lando-github-pilot
+ ALLOWED_PATHS: |
+ mobile/android/android-components
+ mobile/android/fenix
+ mobile/android/focus-android
+
+ GH_REPO: ${{ github.repository }}
+ PR: ${{ github.event.pull_request.number }}
+
+ GH_TOKEN: ${{ github.token }}
+
+jobs:
+ handle-pr:
+ runs-on: ubuntu-latest
+ steps:
+ - name: Check team membership
+ id: team
+ env:
+ AUTHOR: ${{ github.actor }}
+ GH_ORG: ${{ github.repository_owner }}
+ run: |
+ if gh api "/orgs/${GH_ORG}/teams/${ALLOWED_TEAM}/memberships/${AUTHOR}" --silent 2>/dev/null; then
+ echo "is_member=true" >> $GITHUB_OUTPUT
+ else
+ echo "is_member=false" >> $GITHUB_OUTPUT
+ fi
+
+ - name: Check allowed paths
+ id: paths
+ if: steps.team.outputs.is_member == 'true'
+ run: |
+ PATTERN=$(echo "${ALLOWED_PATHS}" | xargs | tr ' ' '|')
+ if gh pr view "${PR}" --json files --jq '.files[].path' | grep -vE "^(${PATTERN})"; then
+ echo "only_allowed=false" >> $GITHUB_OUTPUT
+ else
+ echo "only_allowed=true" >> $GITHUB_OUTPUT
+ fi
+
+ - name: Close PR
+ if: steps.team.outputs.is_member != 'true' || steps.paths.outputs.only_allowed != 'true'
+ run: |
+ gh pr close "${PR}" --comment "(Automated Close) Please do not file pull requests here, see https://firefox-source-docs.mozilla.org/contributing/how_to_submit_a_patch.html"
+ gh pr lock "${PR}"
+
+ - name: Add Lando link
+ if: (steps.team.outputs.is_member == 'true' && steps.paths.outputs.only_allowed == 'true') && github.event.action == 'opened'
+ env:
+ #
+ # Set the following variables at the repository level [0].
+ # [0] https://docs.github.com/en/actions/how-tos/write-workflows/choose-what-workflows-do/use-variables#defining-configuration-variables-for-multiple-workflows
+ #
+ LANDO_BASE_URL: ${{ vars.LANDO_BASE_URL }}
+ LANDO_REPO: ${{ vars.LANDO_REPO }}
+ #
+ # If they are empty, the following will be used to determine sane defaults.
+ #
+ DEFAULT_LANDO_BASE_URL: https://lando.moz.tools
+ TARGET_BRANCH: ${{ github.base_ref }}
+ run: |
+ LANDO_BASE_URL="${LANDO_BASE_URL:-${DEFAULT_LANDO_BASE_URL}}"
+ # We extract the GitHub repo name and target branch to use as
+ # default LANDO_REPO if unspecified.
+ LANDO_REPO="${LANDO_REPO:-${GH_REPO/*\//}-${TARGET_BRANCH}}"
+ gh pr comment "${PR}" --body "[View this pull request in Lando](${LANDO_BASE_URL}/pulls/${LANDO_REPO}/${PR}) to land it once approved."
