1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
|
name: Handle Pull Request
on:
# WARNING: pull_request_target MUST NOT be used if running code under control
# of the source PR [0], as it could risk leaking the GH_TOKENs.
#
# In this case, we do it as the job needs to run within the context of the
# target repo, so it can get a GH_TOKEN which it can use to comment on and
# update the PR.
#
# Crucially, no external code is loaded or run as part of this workflow.
#
# [0] https://docs.github.com/en/actions/reference/workflows-and-actions/events-that-trigger-workflows#pull_request_target:~:text=Warning-,Running,websitehttps://docs.github.com/en/actions/reference/workflows-and-actions/events-that-trigger-workflows#pull_request_target:~:text=Warning-,Running,website
#
pull_request_target:
types: [opened, reopened]
env:
ALLOWED_TEAM: lando-github-pilot
ALLOWED_PATHS: |
mobile/android/android-components
mobile/android/fenix
mobile/android/focus-android
GH_REPO: ${{ github.repository }}
PR: ${{ github.event.pull_request.number }}
GH_TOKEN: ${{ github.token }}
jobs:
handle-pr:
runs-on: ubuntu-latest
steps:
# Workflows don't get access to organisation metadata via the GITHUB_TOKEN.
# We use the Lando Web App to obtain a token with sufficient permissions.
- name: Generate a Lando Web token
id: generate-lando-web-token
uses: actions/create-github-app-token@v2
continue-on-error: true
with:
app-id: ${{ vars.LANDO_WEB_APP_ID }}
private-key: ${{ secrets.LANDO_WEB_APP_PRIVATE_KEY }}
permission-members: read
- name: Check team membership
id: team
continue-on-error: true
env:
AUTHOR: ${{ github.actor }}
GH_ORG: ${{ github.repository_owner }}
GH_TOKEN: ${{ steps.generate-lando-web-token.outputs.token }}
run: |
if gh api "/orgs/${GH_ORG}/teams/${ALLOWED_TEAM}/memberships/${AUTHOR}" --silent 2>/dev/null; then
echo "is_member=true" >> $GITHUB_OUTPUT
else
echo "is_member=false" >> $GITHUB_OUTPUT
fi
- name: Check allowed paths
id: paths
continue-on-error: true
if: steps.team.outputs.is_member == 'true'
run: |
PATTERN=$(echo "${ALLOWED_PATHS}" | xargs | tr ' ' '|')
if gh pr view "${PR}" --json files --jq '.files[].path' | grep -vE "^(${PATTERN})"; then
echo "only_allowed=false" >> $GITHUB_OUTPUT
else
echo "only_allowed=true" >> $GITHUB_OUTPUT
fi
- name: Close PR
if: steps.team.outputs.is_member != 'true' || steps.paths.outputs.only_allowed != 'true'
run: |
gh pr close "${PR}" --comment "(Automated Close) Please do not file pull requests here, see https://firefox-source-docs.mozilla.org/contributing/how_to_submit_a_patch.html"
gh pr lock "${PR}"
- name: Add Lando link
if: (steps.team.outputs.is_member == 'true' && steps.paths.outputs.only_allowed == 'true') && github.event.action == 'opened'
env:
#
# Set the following variables at the repository level [0].
# [0] https://docs.github.com/en/actions/how-tos/write-workflows/choose-what-workflows-do/use-variables#defining-configuration-variables-for-multiple-workflows
#
LANDO_BASE_URL: ${{ vars.LANDO_BASE_URL }}
LANDO_REPO: ${{ vars.LANDO_REPO }}
#
# If they are empty, the following will be used to determine sane defaults.
#
DEFAULT_LANDO_BASE_URL: https://lando.moz.tools
TARGET_BRANCH: ${{ github.base_ref }}
run: |
LANDO_BASE_URL="${LANDO_BASE_URL:-${DEFAULT_LANDO_BASE_URL}}"
# We extract the GitHub repo name and target branch to use as
# default LANDO_REPO if unspecified.
LANDO_REPO="${LANDO_REPO:-${GH_REPO/*\//}-${TARGET_BRANCH}}"
gh pr comment "${PR}" --body "[View this pull request in Lando](${LANDO_BASE_URL}/pulls/${LANDO_REPO}/${PR}) to land it once approved."
|
