name: Handle Pull Request on: # WARNING: pull_request_target MUST NOT be used if running code under control # of the source PR [0], as it could risk leaking the GH_TOKENs. # # In this case, we do it as the job needs to run within the context of the # target repo, so it can get a GH_TOKEN which it can use to comment on and # update the PR. # # Crucially, no external code is loaded or run as part of this workflow. # # [0] https://docs.github.com/en/actions/reference/workflows-and-actions/events-that-trigger-workflows#pull_request_target:~:text=Warning-,Running,websitehttps://docs.github.com/en/actions/reference/workflows-and-actions/events-that-trigger-workflows#pull_request_target:~:text=Warning-,Running,website # pull_request_target: types: [opened, reopened] env: ALLOWED_TEAM: lando-github-pilot ALLOWED_PATHS: | mobile/android/android-components mobile/android/fenix mobile/android/focus-android GH_REPO: ${{ github.repository }} PR: ${{ github.event.pull_request.number }} GH_TOKEN: ${{ github.token }} jobs: handle-pr: runs-on: ubuntu-latest steps: # Workflows don't get access to organisation metadata via the GITHUB_TOKEN. # We use the Lando Web App to obtain a token with sufficient permissions. - name: Generate a Lando Web token id: generate-lando-web-token uses: actions/create-github-app-token@v2 continue-on-error: true with: app-id: ${{ vars.LANDO_WEB_APP_ID }} private-key: ${{ secrets.LANDO_WEB_APP_PRIVATE_KEY }} permission-members: read - name: Check team membership id: team continue-on-error: true env: AUTHOR: ${{ github.actor }} GH_ORG: ${{ github.repository_owner }} GH_TOKEN: ${{ steps.generate-lando-web-token.outputs.token }} run: | if gh api "/orgs/${GH_ORG}/teams/${ALLOWED_TEAM}/memberships/${AUTHOR}" --silent 2>/dev/null; then echo "is_member=true" >> $GITHUB_OUTPUT else echo "is_member=false" >> $GITHUB_OUTPUT fi - name: Check allowed paths id: paths continue-on-error: true if: steps.team.outputs.is_member == 'true' run: | PATTERN=$(echo "${ALLOWED_PATHS}" | xargs | tr ' ' '|') if gh pr view "${PR}" --json files --jq '.files[].path' | grep -vE "^(${PATTERN})"; then echo "only_allowed=false" >> $GITHUB_OUTPUT else echo "only_allowed=true" >> $GITHUB_OUTPUT fi - name: Close PR if: steps.team.outputs.is_member != 'true' || steps.paths.outputs.only_allowed != 'true' run: | gh pr close "${PR}" --comment "(Automated Close) Please do not file pull requests here, see https://firefox-source-docs.mozilla.org/contributing/how_to_submit_a_patch.html" gh pr lock "${PR}" - name: Add Lando link if: (steps.team.outputs.is_member == 'true' && steps.paths.outputs.only_allowed == 'true') && github.event.action == 'opened' env: # # Set the following variables at the repository level [0]. # [0] https://docs.github.com/en/actions/how-tos/write-workflows/choose-what-workflows-do/use-variables#defining-configuration-variables-for-multiple-workflows # LANDO_BASE_URL: ${{ vars.LANDO_BASE_URL }} LANDO_REPO: ${{ vars.LANDO_REPO }} # # If they are empty, the following will be used to determine sane defaults. # DEFAULT_LANDO_BASE_URL: https://lando.moz.tools TARGET_BRANCH: ${{ github.base_ref }} run: | LANDO_BASE_URL="${LANDO_BASE_URL:-${DEFAULT_LANDO_BASE_URL}}" # We extract the GitHub repo name and target branch to use as # default LANDO_REPO if unspecified. LANDO_REPO="${LANDO_REPO:-${GH_REPO/*\//}-${TARGET_BRANCH}}" gh pr comment "${PR}" --body "[View this pull request in Lando](${LANDO_BASE_URL}/pulls/${LANDO_REPO}/${PR}) to land it once approved."