From 3738cdc2855dd45136c2a46886b73cce57899b7b Mon Sep 17 00:00:00 2001 From: shenxianpeng Date: Thu, 27 Feb 2025 04:47:41 +0800 Subject: [PATCH 1/4] gh-127785: Reduce permissions in the `check labels` workflow (#130596) (cherry picked from commit 5ba69e747fa9da984a307b2cbc9f82bac1e0db04) --- .github/workflows/require-pr-label.yml | 51 +++++++++++++++++++++++--- 1 file changed, 45 insertions(+), 6 deletions(-) diff --git a/.github/workflows/require-pr-label.yml b/.github/workflows/require-pr-label.yml index ee91e2a39a198d..7e534c58c798d1 100644 --- a/.github/workflows/require-pr-label.yml +++ b/.github/workflows/require-pr-label.yml @@ -5,18 +5,57 @@ on: types: [opened, reopened, labeled, unlabeled, synchronize] jobs: - label: - name: DO-NOT-MERGE / unresolved review + label-dnm: + name: DO-NOT-MERGE if: github.repository_owner == 'python' runs-on: ubuntu-latest permissions: - issues: write - pull-requests: write + pull-requests: read timeout-minutes: 10 steps: - - uses: mheap/github-action-required-labels@v5 + - name: Check there's no DO-NOT-MERGE + uses: mheap/github-action-required-labels@v5 with: mode: exactly count: 0 - labels: "DO-NOT-MERGE, awaiting changes, awaiting change review" + labels: | + DO-NOT-MERGE + + label-reviews: + name: Unresolved review + if: github.repository_owner == 'python' + runs-on: ubuntu-latest + permissions: + pull-requests: read + timeout-minutes: 10 + + steps: + # Check that the PR is not awaiting changes from the author due to previous review. + - name: Check there's no required changes + uses: mheap/github-action-required-labels@v5 + with: + mode: exactly + count: 0 + labels: | + awaiting changes + awaiting change review + - id: is-feature + name: Check whether this PR is a feature (contains a "type-feature" label) + uses: mheap/github-action-required-labels@v5 + with: + mode: exactly + count: 1 + labels: | + type-feature + exit_type: success # don't fail the check if the PR is not a feature, just record the result + # In case of a feature PR, check for a complete review (contains an "awaiting merge" label). + - id: awaiting-merge + if: steps.is-feature.outputs.status == 'success' + name: Check for complete review + uses: mheap/github-action-required-labels@v5 + with: + mode: exactly + count: 1 + labels: | + awaiting merge From 768a9715565f6af3af596090b2e7d3123393b617 Mon Sep 17 00:00:00 2001 From: shenxianpeng Date: Thu, 27 Feb 2025 09:35:56 +0000 Subject: [PATCH 2/4] [3.13] gh-127785: Reduce permissions in the `check labels` workflow (GH-130596) (cherry picked from commit 5ba69e747fa9da984a307b2cbc9f82bac1e0db04) Co-authored-by: shenxianpeng From 37e6c81759e3cf376be9af35b1483c7721aa08b0 Mon Sep 17 00:00:00 2001 From: shenxianpeng Date: Thu, 27 Feb 2025 10:24:05 +0000 Subject: [PATCH 3/4] Same applies to #130625 from code review --- .github/workflows/require-pr-label.yml | 19 ------------------- 1 file changed, 19 deletions(-) diff --git a/.github/workflows/require-pr-label.yml b/.github/workflows/require-pr-label.yml index 7e534c58c798d1..88e391bc1b76ea 100644 --- a/.github/workflows/require-pr-label.yml +++ b/.github/workflows/require-pr-label.yml @@ -40,22 +40,3 @@ jobs: labels: | awaiting changes awaiting change review - - id: is-feature - name: Check whether this PR is a feature (contains a "type-feature" label) - uses: mheap/github-action-required-labels@v5 - with: - mode: exactly - count: 1 - labels: | - type-feature - exit_type: success # don't fail the check if the PR is not a feature, just record the result - # In case of a feature PR, check for a complete review (contains an "awaiting merge" label). - - id: awaiting-merge - if: steps.is-feature.outputs.status == 'success' - name: Check for complete review - uses: mheap/github-action-required-labels@v5 - with: - mode: exactly - count: 1 - labels: | - awaiting merge From 7088588b2a3c9ac9a0b2ea19eefef38ef80a6bcc Mon Sep 17 00:00:00 2001 From: shenxianpeng Date: Thu, 27 Feb 2025 14:34:24 +0000 Subject: [PATCH 4/4] fixup! Same applies to #130625 from code review --- .github/workflows/require-pr-label.yml | 29 ++++---------------------- 1 file changed, 4 insertions(+), 25 deletions(-) diff --git a/.github/workflows/require-pr-label.yml b/.github/workflows/require-pr-label.yml index 88e391bc1b76ea..d7c2580d4e0808 100644 --- a/.github/workflows/require-pr-label.yml +++ b/.github/workflows/require-pr-label.yml @@ -5,8 +5,8 @@ on: types: [opened, reopened, labeled, unlabeled, synchronize] jobs: - label-dnm: - name: DO-NOT-MERGE + label: + name: DO-NOT-MERGE / unresolved review if: github.repository_owner == 'python' runs-on: ubuntu-latest permissions: @@ -14,29 +14,8 @@ jobs: timeout-minutes: 10 steps: - - name: Check there's no DO-NOT-MERGE - uses: mheap/github-action-required-labels@v5 + - uses: mheap/github-action-required-labels@v5 with: mode: exactly count: 0 - labels: | - DO-NOT-MERGE - - label-reviews: - name: Unresolved review - if: github.repository_owner == 'python' - runs-on: ubuntu-latest - permissions: - pull-requests: read - timeout-minutes: 10 - - steps: - # Check that the PR is not awaiting changes from the author due to previous review. - - name: Check there's no required changes - uses: mheap/github-action-required-labels@v5 - with: - mode: exactly - count: 0 - labels: | - awaiting changes - awaiting change review + labels: "DO-NOT-MERGE, awaiting changes, awaiting change review"