.github/workflows/pr-subscriber.yml

   1 name: PR Subscriber
   2
   3 on:
   4   workflow_run:
   5     workflows: ["PR Receive Label"]
   6     types:
   7       - completed
   8
   9 permissions:
  10   actions: read
  11   contents: read
  12
  13 jobs:
  14   auto-subscribe:
  15     runs-on: ubuntu-latest
  16     if: >
  17       github.repository == 'llvm/llvm-project' &&
  18       github.event.workflow_run.event == 'pull_request' &&
  19       github.event.workflow_run.conclusion == 'success'
  20     steps:
  21       - name: Setup Automation Script
  22         run: |
  23           curl -O -L https://raw.githubusercontent.com/"$GITHUB_REPOSITORY"/main/llvm/utils/git/github-automation.py
  24           curl -O -L https://raw.githubusercontent.com/"$GITHUB_REPOSITORY"/main/llvm/utils/git/requirements.txt
  25           curl -O -L https://raw.githubusercontent.com/"$GITHUB_REPOSITORY"/main/.github/workflows/pr-subscriber-wait.py
  26           chmod a+x github-automation.py
  27           pip install -r requirements.txt
  28
  29       - name: 'Wait for other actions'
  30         # We can't use the concurrency tag for these jobs, because it will
  31         # cancel pending jobs if another job is running.
  32         env:
  33           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  34         run: |
  35           python3 pr-subscriber-wait.py
  36
  37
  38       # From: https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
  39       # Updated version here: https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#using-data-from-the-triggering-workflow
  40       - name: 'Download artifact'
  41         uses: actions/github-script@v6
  42         with:
  43           script: |
  44             const artifacts = await github.rest.actions.listWorkflowRunArtifacts({
  45                owner: context.repo.owner,
  46                repo: context.repo.repo,
  47                run_id: context.payload.workflow_run.id
  48             });
  49             const matchArtifact = artifacts.data.artifacts.find((artifact) =>
  50               artifact.name === 'pr'
  51             );
  52             const download = await github.rest.actions.downloadArtifact({
  53                owner: context.repo.owner,
  54                repo: context.repo.repo,
  55                artifact_id: matchArtifact.id,
  56                archive_format: 'zip'
  57             });
  58             const { writeFileSync } = require('node:fs');
  59             writeFileSync('${{ github.workspace }}/pr.zip', Buffer.from(download.data));
  60
  61       - run: unzip pr.zip
  62
  63       - name: Update watchers
  64         # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable
  65         run: |
  66           PR_NUMBER=$(cat NR)
  67           LABEL_NAME=$(cat LABEL)
  68           ./github-automation.py \
  69             --token '${{ secrets.ISSUE_SUBSCRIBER_TOKEN }}' \
  70             pr-subscriber \
  71             --issue-number "$PR_NUMBER" \
  72             --label-name "$LABEL_NAME"