Skip to content

On PR merge

On PR merge #17989

Workflow file for this run

name: On PR merge
# PROCESS
#
# 1. Fetch PR details previously saved from untrusted location
# 2. Parse details for safety
# 3. Add `pending-release` label for related issue
# 4. Make a comment in PR if related issue is invalid or can't be labeled
# USAGE
#
# NOTE: meant to be used with ./.github/workflows/record_pr.yml
#
# Security Note:
#
# This workflow depends on "Record PR" workflow that runs in an untrusted location (forks) instead of `pull_request_target`.
# This enforces zero trust where "Record PR" workflow always runs on fork with zero permissions on GH_TOKEN.
# When "Record PR" completes, this workflow runs in our repository with the appropriate permissions and sanitize inputs.
#
# Coupled with "Approve GitHub Action to run on forks", we have confidence no privilege can be escalated,
# since any malicious change would need to be approved, and upon social engineering, it'll have zero permissions.
on:
workflow_run:
workflows: ["Record PR details"]
types:
- completed
permissions:
contents: read
jobs:
get_pr_details:
permissions:
actions: read # download PR artifact
contents: read # checkout code
if: github.event.workflow_run.event == 'pull_request' && github.event.workflow_run.conclusion == 'success'
uses: ./.github/workflows/reusable_export_pr_details.yml
with:
record_pr_workflow_id: ${{ github.event.workflow_run.id }}
workflow_origin: ${{ github.event.repository.full_name }}
secrets:
token: ${{ secrets.GITHUB_TOKEN }}
release_label_on_merge:
needs: get_pr_details
runs-on: ubuntu-latest
permissions:
pull-requests: write # make a comment in PR if unable to find related issue
issues: write # label issue with pending-release
if: needs.get_pr_details.outputs.prIsMerged == 'true'
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: "Label PR related issue for release"
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
env:
PR_NUMBER: ${{ needs.get_pr_details.outputs.prNumber }}
PR_BODY: ${{ needs.get_pr_details.outputs.prBody }}
PR_IS_MERGED: ${{ needs.get_pr_details.outputs.prIsMerged }}
PR_AUTHOR: ${{ needs.get_pr_details.outputs.prAuthor }}
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
script: |
const script = require('.github/scripts/label_related_issue.js')
await script({github, context, core})