Skip to content

chore(IDX): add github token to CLA check#159

Merged
cgundy merged 9 commits intomainfrom
add-checkout-steps-back
May 20, 2025
Merged

chore(IDX): add github token to CLA check#159
cgundy merged 9 commits intomainfrom
add-checkout-steps-back

Conversation

@cgundy
Copy link
Contributor

@cgundy cgundy commented May 19, 2025
edited
Loading

There was a permissions issue with running the CLA, so I'm trying to add the token.

@cgundy cgundy requested a review from jwndlng May 19, 2025 15:11
@cgundy cgundy requested a review from a team as a code owner May 19, 2025 15:11
jwndlng
jwndlng reviewed May 19, 2025
View reviewed changes
@jwndlng
Copy link
Member

jwndlng commented May 19, 2025

A general comment: Can we please use pinned actions instead of version/branches?

@cgundy
Copy link
Contributor Author

cgundy commented May 19, 2025

Can we please use pinned actions instead of version/branches?

Sure, I'll actually add that to a different PR first

@cgundy
Copy link
Contributor Author

cgundy commented May 20, 2025

Can we please use pinned actions instead of version/branches?

Addressed in #160

@basvandijk
Copy link
Contributor

basvandijk commented May 20, 2025

the repo needs to check out the repo itself so that it can either close

Are you sure?

The example from superbrothers/close-pull-request doesn't mention that a checkout is needed.

or add a label.

The example from actions/github-script? also doesn't mention you need a checkout.

@jwndlng
Copy link
Member

jwndlng commented May 20, 2025
edited
Loading

I think the checkout is used so that the context changes to the other repo and the GH commands will automatically target this repo. This can potentially be avoided by explicitly naming the target repo.

E.g.

      - name: Add Label
        uses: actions/github-script@v6
        if: ${{ steps.accepts_external_contrib.outputs.accepts_contrib != 'false' }}
        with:
          script: |
            github.rest.issues.addLabels({
              issue_number: context.issue.number,
              owner: context.repo.owner,
              repo: context.repo.repo,
              labels: ["external-contributor"]
            })

could be

      - name: Add Label
        uses: actions/github-script@v6
        if: ${{ steps.accepts_external_contrib.outputs.accepts_contrib != 'false' }}
        with:
          script: |
            github.rest.issues.addLabels({
              issue_number: context.issue.number,
              owner: github.event.pull_request.base.repo.owner.login,
              repo: github.event.pull_request.base.repo.name,
              labels: ["external-contributor"]
            })

@cgundy
Copy link
Contributor Author

cgundy commented May 20, 2025

So actually, the error we were getting was a permissions error: https://github.com/dfinity/pic-js/actions/runs/15072330334/job/42371540281?pr=134 - is it possible the issue is something else entirely? The CLA github app has write access to pull requests for all repos, so I assumed it was related to the change we made with removing the checkout step.

@cgundy
Copy link
Contributor Author

cgundy commented May 20, 2025

I can try Jan's suggestion as well

@cgundy cgundy changed the title chore(IDX): add checkout steps back to the CLA chore(IDX): change owner and repo ref for CLA check May 20, 2025
@cgundy cgundy changed the title chore(IDX): change owner and repo ref for CLA check chore(IDX): add github token to CLA check May 20, 2025
jwndlng
jwndlng approved these changes May 20, 2025
View reviewed changes
Copy link
Member

@jwndlng jwndlng left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@cgundy cgundy merged commit 875ac0e into main May 20, 2025
8 checks passed
@cgundy cgundy deleted the add-checkout-steps-back branch May 20, 2025 13:11
cgundy added a commit that referenced this pull request Oct 20, 2025
@cgundy @marko-k0
@dependabot @basvandijk
update develop branch (#168)
31cfbcf 
* chore(IDX): add workflow_call back (#158)

* chore(IDX): pin action to commit (#160)

* chore(IDX): add github token to CLA check (#159)

* chore(IDX): add checkout steps back to the CLA

* switch to base

* switch to base

* update owner and repo

* update

* add context

* update ref

* update token

* chore(IDX): add new bot to list of approved bots (#161)

* Update check_cla_ruleset.yml (#162)

Cleaning up quotes

* chore(deps): bump requests from 2.32.3 to 2.32.4 (#163)

Bumps [requests](https://github.com/psf/requests) from 2.32.3 to 2.32.4.
- [Release notes](https://github.com/psf/requests/releases)
- [Changelog](https://github.com/psf/requests/blob/main/HISTORY.md)
- [Commits](psf/requests@v2.32.3...v2.32.4)

---
updated-dependencies:
- dependency-name: requests
  dependency-version: 2.32.4
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump urllib3 from 2.2.3 to 2.5.0 (#164)

Bumps [urllib3](https://github.com/urllib3/urllib3) from 2.2.3 to 2.5.0.
- [Release notes](https://github.com/urllib3/urllib3/releases)
- [Changelog](https://github.com/urllib3/urllib3/blob/main/CHANGES.rst)
- [Commits](urllib3/urllib3@2.2.3...2.5.0)

---
updated-dependencies:
- dependency-name: urllib3
  dependency-version: 2.5.0
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(IDX): allow testing with droid-uexternal user (#165)

Temporarily allow 'droid-uexternal' bot to contribute for testing.

* Revert "chore(IDX): allow testing with droid-uexternal user (#165)" (#167)

This reverts commit 2262404.

* chore: close external PRs that touch blacklisted files (#166)

Instead of just commenting on external PRs that touch blacklisted files this commit causes them to be closed as well.

We intend to use this in dfinity/ic to automatically close PRs by non-DFINITY contributors that touch files under `.github`. See: dfinity/ic#7307.

This also changes the definition of an "external" PR from any PR created by a non-DFINITY member to any PR created from a fork. The latter is easier to determine because we don't need to query the GitHub API. Also note that the set of PRs created from forks includes the set of PRs created by non-DFINITY members since non-DFINITY members can create PRs from source repos since they're not allowed to push there.

Finally this commit simplifies the `reusable_workflows/repo_policies/check_external_changes.py` Python code by not fetching the `.github/repo_policies/EXTERNAL_CONTRIB_BLACKLIST` file from within the script but using the `actions/checkout` action instead.

Tested here: dfinity/test-compliant-repository-public#72 (comment).

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: Marko Kosmerl <marko.kosmerl@dfinity.org>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Bas van Dijk <bas@dfinity.org>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jwndlng jwndlng jwndlng approved these changes

@marko-k0 marko-k0 marko-k0 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@cgundy @jwndlng @basvandijk @marko-k0