From 004f0b9421b922f0fc65a5a5d19c43edf70e8a0b Mon Sep 17 00:00:00 2001 From: "Paul S. Schweigert" Date: Fri, 15 May 2026 09:22:54 -0400 Subject: [PATCH] make hold and pr-label workflows reusable Signed-off-by: Paul S. Schweigert --- .github/workflows/hold.yml | 22 ++++++++++++++++------ .github/workflows/pr-label.yml | 22 ++++++++++++++++------ 2 files changed, 32 insertions(+), 12 deletions(-) diff --git a/.github/workflows/hold.yml b/.github/workflows/hold.yml index 629cddf..66d6485 100644 --- a/.github/workflows/hold.yml +++ b/.github/workflows/hold.yml @@ -1,16 +1,26 @@ # Blocks merge when the "do-not-merge/hold" label is applied to a PR. # -# Uses pull_request_target so the label event from forks also triggers this -# check. This workflow does NOT check out or execute PR code — do not add -# actions/checkout of the PR head ref or run steps that reference +# Reusable workflow. Consumer repos wrap it with their own trigger workflow: +# +# # .github/workflows/hold.yml in the consumer repo +# name: "Hold" +# on: +# pull_request_target: +# types: [opened, reopened, synchronize, labeled, unlabeled] +# merge_group: +# jobs: +# hold: +# uses: generative-computing/.github/.github/workflows/hold.yml@main +# +# Uses pull_request_target in the caller so the label event from forks also +# triggers this check. This workflow does NOT check out or execute PR code — +# do not add actions/checkout of the PR head ref or run steps that reference # PR-controlled files. name: "Hold" on: - pull_request_target: # zizmor: ignore[dangerous-triggers] - types: [opened, reopened, synchronize, labeled, unlabeled] - merge_group: + workflow_call: permissions: {} diff --git a/.github/workflows/pr-label.yml b/.github/workflows/pr-label.yml index 50af3bb..346a2f5 100644 --- a/.github/workflows/pr-label.yml +++ b/.github/workflows/pr-label.yml @@ -1,6 +1,18 @@ -# This workflow uses pull_request_target, which grants write access to -# the repo even for PRs from forks. This is safe ONLY because it never checks -# out or executes code from the PR branch. Do NOT add: +# Reusable workflow. Consumer repos wrap it with their own trigger workflow: +# +# # .github/workflows/pr-label.yml in the consumer repo +# name: "Label PR by conventional commit prefix" +# on: +# pull_request_target: +# types: [opened, edited, synchronize] +# merge_group: +# jobs: +# label: +# uses: generative-computing/.github/.github/workflows/pr-label.yml@main +# +# The caller uses pull_request_target, which grants write access to the repo +# even for PRs from forks. This is safe ONLY because this workflow never +# checks out or executes code from the PR branch. Do NOT add: # - actions/checkout (of the PR head ref) # - run: steps that reference PR-controlled files # - any step that executes code from the pull request @@ -9,9 +21,7 @@ name: "Label PR by conventional commit prefix" on: - pull_request_target: # zizmor: ignore[dangerous-triggers] - types: [opened, edited, synchronize] - merge_group: + workflow_call: jobs: label: