From 6d032b293e33428f8d6eeaff6746b3c2b6d6143f Mon Sep 17 00:00:00 2001 From: Colin Walters Date: Fri, 21 Nov 2025 09:46:28 -0500 Subject: [PATCH] common: Add rebase workflow Add automatic rebase workflow that triggers when the needs-rebase label is added to a pull request. This provides a secure way to trigger rebases since only users with triage or write permissions can add labels. The workflow uses the app token for permissions and removes the label after the rebase attempt completes. Assisted-by: Claude Code (Sonnet 4.5) Signed-off-by: Colin Walters --- common/.github/workflows/rebase.yml | 45 +++++++++++++++++++++++++++++ 1 file changed, 45 insertions(+) create mode 100644 common/.github/workflows/rebase.yml diff --git a/common/.github/workflows/rebase.yml b/common/.github/workflows/rebase.yml new file mode 100644 index 0000000..ab42fbc --- /dev/null +++ b/common/.github/workflows/rebase.yml @@ -0,0 +1,45 @@ +name: Automatic Rebase +on: + pull_request: + types: [labeled] + +permissions: + contents: read + +jobs: + rebase: + name: Rebase + if: github.event.label.name == 'needs-rebase' + runs-on: ubuntu-latest + steps: + - name: Generate Actions Token + id: token + uses: actions/create-github-app-token@v2 + with: + app-id: ${{ secrets.APP_ID }} + private-key: ${{ secrets.APP_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} + + - name: Checkout + uses: actions/checkout@v5 + with: + token: ${{ steps.token.outputs.token }} + fetch-depth: 0 + + - name: Automatic Rebase + uses: peter-evans/rebase@v3 + with: + token: ${{ steps.token.outputs.token }} + + - name: Remove needs-rebase label + if: always() + uses: actions/github-script@v8 + with: + github-token: ${{ steps.token.outputs.token }} + script: | + await github.rest.issues.removeLabel({ + owner: context.repo.owner, + repo: context.repo.repo, + issue_number: context.issue.number, + name: 'needs-rebase' + });