Skip to content

make hold and pr-label workflows reusable #2

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
psschwei merged 1 commit into from
May 15, 2026
+32 −12
Merged

make hold and pr-label workflows reusable #2

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 16 additions & 6 deletions .github/workflows/hold.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,16 +1,26 @@
# Blocks merge when the "do-not-merge/hold" label is applied to a PR.
#
# Uses pull_request_target so the label event from forks also triggers this
# check. This workflow does NOT check out or execute PR code — do not add
# actions/checkout of the PR head ref or run steps that reference
# Reusable workflow. Consumer repos wrap it with their own trigger workflow:
#
# # .github/workflows/hold.yml in the consumer repo
# name: "Hold"
# on:
# pull_request_target:
# types: [opened, reopened, synchronize, labeled, unlabeled]
# merge_group:
# jobs:
# hold:
# uses: generative-computing/.github/.github/workflows/hold.yml@main
#
# Uses pull_request_target in the caller so the label event from forks also
# triggers this check. This workflow does NOT check out or execute PR code —
# do not add actions/checkout of the PR head ref or run steps that reference
# PR-controlled files.

name: "Hold"

on:
pull_request_target: # zizmor: ignore[dangerous-triggers]
types: [opened, reopened, synchronize, labeled, unlabeled]
merge_group:
workflow_call:

permissions: {}

Expand Down
22 changes: 16 additions & 6 deletions .github/workflows/pr-label.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,18 @@
# This workflow uses pull_request_target, which grants write access to
# the repo even for PRs from forks. This is safe ONLY because it never checks
# out or executes code from the PR branch. Do NOT add:
# Reusable workflow. Consumer repos wrap it with their own trigger workflow:
#
# # .github/workflows/pr-label.yml in the consumer repo
# name: "Label PR by conventional commit prefix"
# on:
# pull_request_target:
# types: [opened, edited, synchronize]
# merge_group:
# jobs:
# label:
# uses: generative-computing/.github/.github/workflows/pr-label.yml@main
#
# The caller uses pull_request_target, which grants write access to the repo
# even for PRs from forks. This is safe ONLY because this workflow never
# checks out or executes code from the PR branch. Do NOT add:
# - actions/checkout (of the PR head ref)
# - run: steps that reference PR-controlled files
# - any step that executes code from the pull request
Expand All @@ -9,9 +21,7 @@
name: "Label PR by conventional commit prefix"

on:
pull_request_target: # zizmor: ignore[dangerous-triggers]
types: [opened, edited, synchronize]
merge_group:
workflow_call:

jobs:
label:
Expand Down
Loading