Preventing maintainer docs from automerging if marked with "do-not-merge" label #5111
+115
−42
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -4,7 +4,7 @@ | |
| # We DO NOT check out PR code; we only read PR metadata via the API. | ||
| on: | ||
| pull_request_target: | ||
| types: [opened, synchronize, reopened, ready_for_review, edited, labeled, unlabeled] | ||
| paths: | ||
| - 'sdkdocs/**' | ||
|
|
||
|
|
@@ -43,59 +43,125 @@ jobs: | |
| { label: 'automerge: rust', teamSlug: 'maintainers-rust-sdk', prefixes: ['sdkdocs/rust/content/en/'] }, | ||
| ]; | ||
|
|
||
| const action = context.payload.action; | ||
|
|
||
| // Helper: verify a user is an active member of a team | ||
| async function checkMembership(teamSlug, username) { | ||
| const membership = await github.rest.teams.getMembershipForUserInOrg({ | ||
| org: owner, team_slug: teamSlug, username | ||
| }); | ||
| return membership.data.state === 'active'; | ||
| } | ||
|
|
||
| // Helper: verify all PR files fall within a single mapping's prefixes | ||
| async function resolveMapping(number) { | ||
| const files = await github.paginate( | ||
| github.rest.pulls.listFiles, | ||
| { owner, repo, pull_number: number, per_page: 100 } | ||
| ); | ||
| if (files.length === 0) return null; | ||
| let mapping = null; | ||
| for (const f of files) { | ||
| const matched = MAPPINGS.find(m => m.prefixes.some(p => f.filename.startsWith(p))); | ||
| if (!matched) return null; | ||
| if (!mapping) mapping = matched; | ||
| else if (mapping !== matched) return null; | ||
| } | ||
| return mapping; | ||
| } | ||
|
|
||
| if (action === 'labeled') { | ||
| // --- Maintainer-approved flow --- | ||
| // A maintainer adds an automerge label to a PR they didn't necessarily author. | ||
| // Validate: label is a known automerge label, adder is in that team, PR only | ||
| // touches that SDK's directory. | ||
| const addedLabel = context.payload.label.name; | ||
| const mapping = MAPPINGS.find(m => m.label === addedLabel); | ||
|
|
||
| if (!mapping) { | ||
| core.info(`Label "${addedLabel}" is not a recognized automerge label; skipping.`); | ||
| core.setOutput('eligible', 'false'); | ||
| return; | ||
| } | ||
|
|
||
| const labelAdder = context.payload.sender.login; | ||
| try { | ||
| const active = await checkMembership(mapping.teamSlug, labelAdder); | ||
| if (!active) { | ||
| core.info(`User ${labelAdder} is not active in team ${mapping.teamSlug}; removing label.`); | ||
| core.setOutput('eligible', 'false'); | ||
| core.setOutput('remove_label', addedLabel); | ||
| return; | ||
| } | ||
| } catch (err) { | ||
| core.info(`Membership check failed for ${labelAdder} in team ${mapping.teamSlug}: ${err.status} ${err.message}`); | ||
| core.setOutput('eligible', 'false'); | ||
| core.setOutput('remove_label', addedLabel); | ||
| return; | ||
| } | ||
|
|
||
| const resolvedMapping = await resolveMapping(number); | ||
| if (!resolvedMapping || resolvedMapping !== mapping) { | ||
| core.info('PR touches files outside the labeled SDK directory or multiple directories; removing label.'); | ||
| core.setOutput('eligible', 'false'); | ||
| core.setOutput('remove_label', addedLabel); | ||
| return; | ||
| } | ||
|
|
||
| core.info(`Maintainer ${labelAdder} approved merge via label for ${mapping.label}.`); | ||
| core.setOutput('eligible', 'true'); | ||
| core.setOutput('label', mapping.label); | ||
| core.setOutput('teamSlug', mapping.teamSlug); | ||
| core.setOutput('lang', (mapping.label.split(': ')[1] || 'sdk')); | ||
|
|
||
| } else { | ||
| // --- Author-is-maintainer flow --- | ||
| // PR author must themselves be a maintainer of the single SDK directory the PR touches. | ||
| const username = pr.user.login; | ||
|
|
||
| const currentMapping = await resolveMapping(number); | ||
| if (!currentMapping) { | ||
| core.info('PR is not eligible: no changed files, outside mapped paths, or touches multiple SDK directories.'); | ||
| core.setOutput('eligible', 'false'); | ||
| return; | ||
| } | ||
|
|
||
| try { | ||
| const active = await checkMembership(currentMapping.teamSlug, username); | ||
| if (!active) { | ||
| core.info(`User ${username} is not active in team ${currentMapping.teamSlug}.`); | ||
| core.setOutput('eligible', 'false'); | ||
| return; | ||
| } | ||
| } catch (err) { | ||
| core.info(`Membership check failed or user not in team ${currentMapping.teamSlug}: ${err.status} ${err.message}`); | ||
| core.setOutput('eligible', 'false'); | ||
| return; | ||
| } | ||
|
|
||
| core.setOutput('eligible', 'true'); | ||
| core.setOutput('label', currentMapping.label); | ||
| core.setOutput('teamSlug', currentMapping.teamSlug); | ||
| core.setOutput('lang', (currentMapping.label.split(': ')[1] || 'sdk')); | ||
| } | ||
|
|
||
| # 2) Remove unauthorized automerge labels (uses default repo-scoped token) | ||
| - name: Remove unauthorized automerge label | ||
| if: steps.teamcheck.outputs.remove_label != '' | ||
| uses: actions/github-script@v7 | ||
| with: | ||
| script: | | ||
| const { owner, repo } = context.repo; | ||
| const number = context.payload.pull_request.number; | ||
| const labelName = '${{ steps.teamcheck.outputs.remove_label }}'; | ||
| try { | ||
| await github.rest.issues.removeLabel({ owner, repo, issue_number: number, name: labelName }); | ||
| core.info(`Removed unauthorized label "${labelName}" from PR #${number}.`); | ||
| } catch (e) { | ||
| if (e.status !== 404) throw e; // 404 = already removed, ignore | ||
| } | ||
|
|
||
| # 3) If eligible, label, approve and merge with the default repo-scoped token | ||
| - name: Label, auto-approve & merge | ||
| if: steps.teamcheck.outputs.eligible == 'true' | ||
| uses: actions/github-script@v7 | ||
|
|
@@ -133,6 +199,13 @@ jobs: | |
| core.warning(`Failed to create review: ${e.message}`); | ||
| } | ||
|
|
||
| // Block if "do-not-merge" label is present | ||
| const currentLabels = context.payload.pull_request.labels.map(l => l.name.toLowerCase()); | ||
| if (currentLabels.includes('do-not-merge')) { | ||
| core.info('PR has "do-not-merge" label; skipping merge until it is removed.'); | ||
| return; | ||
|
Comment on lines
+202
to
+206
Contributor
There was a problem hiding this comment. Can you check if this is relevant @WhitWaldo? I think the likelyhood of this one is very small.
Contributor
Author
There was a problem hiding this comment. Yeah, I'm not too worried about it. I think it's something we can internally notate for maintainers - labels are the triggers, so if you change them while it's running, it's not going to work. Cancel first, change the label and re-trigger. |
||
| } | ||
|
|
||
| // Poll mergeability | ||
| const wait = ms => new Promise(r => setTimeout(r, ms)); | ||
| for (let i = 0; i < 12; i++) { | ||
|
|
||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you check if this is relevant @WhitWaldo?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No, I think this is handled by the later check on line 81 - if mapping isn't set (and it's only set on a labeled action), the eligible flag is set to false and it terminates the action. As there isn't an unlabeled action we can trigger on, the intent is that the maintainer will add the automerge label for their repo triggering this again.