diff --git a/.github/workflows/backport.yaml b/.github/workflows/backport.yaml deleted file mode 100644 index bf1d35d519f0..000000000000 --- a/.github/workflows/backport.yaml +++ /dev/null @@ -1,15 +0,0 @@ -name: backport -on: - pull_request_target: - types: [labeled, closed] -permissions: - contents: read -jobs: - maybe-backport: - uses: kumahq/.github/.github/workflows/wfc_backport.yml@main - permissions: - contents: read - pull-requests: write - secrets: - app_id: ${{ secrets.APP_ID }} - private_key: ${{ secrets.APP_PRIVATE_KEY }} diff --git a/.github/workflows/check.yaml b/.github/workflows/check.yaml index c3709cbafd13..59d64414ce60 100644 --- a/.github/workflows/check.yaml +++ b/.github/workflows/check.yaml @@ -1,8 +1,6 @@ name: "PR health" on: - pull_request_target: - # !!!! Be especially careful with checkouts are we are using: pull_request_target - # See: https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/ + pull_request: types: [edited, opened, reopened, synchronize] permissions: contents: read @@ -13,27 +11,6 @@ jobs: permissions: pull-requests: write steps: - - name: Add checklist comment - if: github.event.pull_request.author != 'app/dependabot' - uses: marocchino/sticky-pull-request-comment@daa4a82a0a3f6c162c02b83fa44b3ab83946f7cb # v2.9.0 - with: - header: PR reviewer checklist - only_create: true - message: | - ## Reviewer Checklist - :mag: Each of these sections need to be checked by the reviewer of the PR :mag:: - If something doesn't apply please check the box and add a justification if the reason is non obvious. - - - [ ] Is the PR title satisfactory? Is this part of a larger feature and should be grouped using `> Changelog`? - - [ ] PR description is clear and complete. It [Links to relevant issue][1] as well as docs and UI issues - - [ ] This will not break child repos: it doesn't hardcode values (.e.g "kumahq" as an image registry) - - [ ] IPv6 is taken into account (.e.g: no string concatenation of host port) - - [ ] Tests (Unit test, E2E tests, manual test on universal and k8s) - - Don't forget `ci/` labels to run additional/fewer tests - - [ ] Does this contain a change that needs to be notified to users? In this case, [`UPGRADE.md`](../blob/master/UPGRADE.md) should be updated. - - [ ] Does it need to be backported according to the [backporting policy](../blob/master/CONTRIBUTING.md#backporting)? ([this](https://github.com/kumahq/kuma/actions/workflows/auto-backport.yaml) GH action will add "backport" label based on these [file globs](https://github.com/kumahq/kuma/blob/master/.github/workflows/auto-backport.yaml#L6), if you want to prevent it from adding the "backport" label use [no-backport-autolabel](https://github.com/kumahq/kuma/blob/master/.github/workflows/auto-backport.yaml#L8) label) - - [1]: https://docs.github.com/en/issues/tracking-your-work-with-issues/linking-a-pull-request-to-an-issue#linking-a-pull-request-to-an-issue-using-a-keyword - name: Check PR title # Check PR title against the Conventional Commits format using commitlint. # For more details, see: https://www.conventionalcommits.org/en/v1.0.0/ diff --git a/.github/workflows/pr-modification.yaml b/.github/workflows/pr-modification.yaml new file mode 100644 index 000000000000..d1266cada676 --- /dev/null +++ b/.github/workflows/pr-modification.yaml @@ -0,0 +1,52 @@ +on: + schedule: + - cron: '*/5 * * * *' #every 5mins +permissions: + contents: read +jobs: + find-prs: + runs-on: ubuntu-24.04 + outputs: + recent_prs: ${{ steps.get-recent-prs.outputs.out }} + active_branches: ${{ steps.active-branches.outputs.out }} + steps: + - id: active-branches + run: | + echo "out=$(gh api /repos/${{ github.repository }}/contents/active-branches.json --jq '.content | @base64d')" >> $GITHUB_OUTPUT + - id: get-recent-prs + run: | + prs=$(gh pr list --json number,title,url --search "updated:>=$(date --date='10 minutes ago' +'%Y-%m-%dT%H:%M:%S%z') -author:app/github-actions -author:dependabot") + echo "out=$prs" >> $GITHUB_OUTPUT + + pr-comment: + needs: find-prs + runs-on: ubuntu-24.04 + strategy: + matrix: ${{ fromJson(needs.get-prs.outputs.recent_prs) }} + max-parallel: 1 # to avoid using too many runners + steps: + - uses: marocchino/sticky-pull-request-comment@daa4a82a0a3f6c162c02b83fa44b3ab83946f7cb # v2.9.0 + with: + header: PR reviewer checklist + only_create: true + number: ${{ matrix.number }} + message: | + ## Reviewer Checklist + :mag: Each of these sections need to be checked by the reviewer of the PR :mag:: + If something doesn't apply please check the box and add a justification if the reason is non obvious. + - [ ] Is the PR title satisfactory? Is this part of a larger feature and should be grouped using `> Changelog`? + - [ ] PR description is clear and complete. It [Links to relevant issue][1] as well as docs and UI issues + - [ ] This will not break child repos: it doesn't hardcode values (.e.g "kumahq" as an image registry) + - [ ] IPv6 is taken into account (.e.g: no string concatenation of host port) + - [ ] Tests (Unit test, E2E tests, manual test on universal and k8s) + - Don't forget `ci/` labels to run additional/fewer tests + - [ ] Does this contain a change that needs to be notified to users? In this case, [`UPGRADE.md`](../blob/master/UPGRADE.md) should be updated. + - [ ] Does it need to be backported according to the [backporting policy](../blob/master/CONTRIBUTING.md#backporting)? ([this](https://github.com/kumahq/kuma/actions/workflows/auto-backport.yaml) GH action will add "backport" label based on these [file globs](https://github.com/kumahq/kuma/blob/master/.github/workflows/auto-backport.yaml#L6), if you want to prevent it from adding the "backport" label use [no-backport-autolabel](https://github.com/kumahq/kuma/blob/master/.github/workflows/auto-backport.yaml#L8) label) + + [1]: https://docs.github.com/en/issues/tracking-your-work-with-issues/linking-a-pull-request-to-an-issue#linking-a-pull-request-to-an-issue-using-a-keyword + maybe-backport: + needs: find-prs + runs-on: ubuntu-24.04 + strategy: + matrix: ${{ fromJson(needs.get-prs.outputs.prs_to_backport) }} + max-parallel: 1 # to avoid using too many runners