pr-handler.yml (4106B)
1 name: Handle Pull Request 2 on: 3 # WARNING: pull_request_target MUST NOT be used if running code under control 4 # of the source PR [0], as it could risk leaking the GH_TOKENs. 5 # 6 # In this case, we do it as the job needs to run within the context of the 7 # target repo, so it can get a GH_TOKEN which it can use to comment on and 8 # update the PR. 9 # 10 # Crucially, no external code is loaded or run as part of this workflow. 11 # 12 # [0] https://docs.github.com/en/actions/reference/workflows-and-actions/events-that-trigger-workflows#pull_request_target:~:text=Warning-,Running,websitehttps://docs.github.com/en/actions/reference/workflows-and-actions/events-that-trigger-workflows#pull_request_target:~:text=Warning-,Running,website 13 # 14 pull_request_target: 15 types: [opened, reopened] 16 17 18 env: 19 ALLOWED_TEAM: lando-github-pilot 20 ALLOWED_PATHS: | 21 mobile/android/android-components 22 mobile/android/fenix 23 mobile/android/focus-android 24 25 GH_REPO: ${{ github.repository }} 26 PR: ${{ github.event.pull_request.number }} 27 28 GH_TOKEN: ${{ github.token }} 29 30 jobs: 31 handle-pr: 32 runs-on: ubuntu-latest 33 steps: 34 35 # Workflows don't get access to organisation metadata via the GITHUB_TOKEN. 36 # We use the Lando Web App to obtain a token with sufficient permissions. 37 - name: Generate a Lando Web token 38 id: generate-lando-web-token 39 uses: actions/create-github-app-token@v2 40 continue-on-error: true 41 with: 42 app-id: ${{ vars.LANDO_WEB_APP_ID }} 43 private-key: ${{ secrets.LANDO_WEB_APP_PRIVATE_KEY }} 44 permission-members: read 45 46 - name: Check team membership 47 id: team 48 continue-on-error: true 49 env: 50 AUTHOR: ${{ github.actor }} 51 GH_ORG: ${{ github.repository_owner }} 52 GH_TOKEN: ${{ steps.generate-lando-web-token.outputs.token }} 53 run: | 54 if gh api "/orgs/${GH_ORG}/teams/${ALLOWED_TEAM}/memberships/${AUTHOR}" --silent 2>/dev/null; then 55 echo "is_member=true" >> $GITHUB_OUTPUT 56 else 57 echo "is_member=false" >> $GITHUB_OUTPUT 58 fi 59 60 - name: Check allowed paths 61 id: paths 62 continue-on-error: true 63 if: steps.team.outputs.is_member == 'true' 64 run: | 65 PATTERN=$(echo "${ALLOWED_PATHS}" | xargs | tr ' ' '|') 66 if gh pr view "${PR}" --json files --jq '.files[].path' | grep -vE "^(${PATTERN})"; then 67 echo "only_allowed=false" >> $GITHUB_OUTPUT 68 else 69 echo "only_allowed=true" >> $GITHUB_OUTPUT 70 fi 71 72 - name: Close PR 73 if: steps.team.outputs.is_member != 'true' || steps.paths.outputs.only_allowed != 'true' 74 run: | 75 gh pr close "${PR}" --comment "(Automated Close) Please do not file pull requests here, see https://firefox-source-docs.mozilla.org/contributing/how_to_submit_a_patch.html" 76 gh pr lock "${PR}" 77 78 - name: Add Lando link 79 if: (steps.team.outputs.is_member == 'true' && steps.paths.outputs.only_allowed == 'true') && github.event.action == 'opened' 80 env: 81 # 82 # Set the following variables at the repository level [0]. 83 # [0] https://docs.github.com/en/actions/how-tos/write-workflows/choose-what-workflows-do/use-variables#defining-configuration-variables-for-multiple-workflows 84 # 85 LANDO_BASE_URL: ${{ vars.LANDO_BASE_URL }} 86 LANDO_REPO: ${{ vars.LANDO_REPO }} 87 # 88 # If they are empty, the following will be used to determine sane defaults. 89 # 90 DEFAULT_LANDO_BASE_URL: https://lando.moz.tools 91 TARGET_BRANCH: ${{ github.base_ref }} 92 run: | 93 LANDO_BASE_URL="${LANDO_BASE_URL:-${DEFAULT_LANDO_BASE_URL}}" 94 # We extract the GitHub repo name and target branch to use as 95 # default LANDO_REPO if unspecified. 96 LANDO_REPO="${LANDO_REPO:-${GH_REPO/*\//}-${TARGET_BRANCH}}" 97 gh pr comment "${PR}" --body "[View this pull request in Lando](${LANDO_BASE_URL}/pulls/${LANDO_REPO}/${PR}) to land it once approved."