1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
|
name: GitHub Event Processor
on:
issues:
types: [edited, labeled, opened, reopened, unlabeled]
# issue_comment is used for both issues and pull_requests
# github.event.issue.pull_request will be non-null on pull request comments
issue_comment:
types: [created]
# synchronize is the pull_request_target event when changes are pushed
# pull request merged is the closed event with github.event.pull_request.merged = true
pull_request_target:
types: [closed, labeled, opened, reopened, review_requested, synchronize, unlabeled]
# This removes all unnecessary permissions, the ones needed will be set below.
# https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token
permissions: {}
jobs:
# This event requires the Azure CLI to get the LABEL_SERVICE_API_KEY from the vault.
# Because the azure/login step adds time costly pre/post Az CLI commands to any every job
# it's used in, split this into its own job so only the event that needs the Az CLI pays
# the cost.
event-handler-with-azure:
permissions:
issues: write
pull-requests: write
# For OIDC auth
id-token: write
contents: read
name: Handle ${{ github.event_name }} ${{ github.event.action }} event with azure login
runs-on: ubuntu-latest
steps:
- name: 'Az CLI login'
uses: azure/login@v2
if: ${{ github.event_name == 'issues' && github.event.action == 'opened' }}
with:
client-id: a6dd2dfe-7352-41a7-9020-05301c3bca1a
tenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
allow-no-subscriptions: true
- name: 'Run Azure CLI commands'
if: ${{ github.event_name == 'issues' && github.event.action == 'opened' }}
run: |
LABEL_SERVICE_API_KEY=$(az keyvault secret show \
--vault-name issue-labeler \
-n issue-labeler-func-key \
-o tsv \
--query value)
echo "::add-mask::$LABEL_SERVICE_API_KEY"
echo "LABEL_SERVICE_API_KEY=$LABEL_SERVICE_API_KEY" >> $GITHUB_ENV
# To run github-event-processor built from source, for testing purposes, uncomment everything
# in between the Start/End-Build From Source comments and comment everything in between the
# Start/End-Install comments
# Start-Install
- name: Install GitHub Event Processor
run: >
dotnet tool install
Azure.Sdk.Tools.GitHubEventProcessor
--version 1.0.0-dev.20250314.4
--add-source https://pkgs.dev.azure.com/azure-sdk/public/_packaging/azure-sdk-for-net/nuget/v3/index.json
--global
shell: bash
# End-Install
# Testing checkout of sources from the Azure/azure-sdk-tools repository
# The ref: is the SHA from the pull request in that repository or the
# refs/pull/<PRNumber>/merge for the latest on any given PR. If the repository
# is a fork eg. <User>/azure-sdk-tools then the repository down below will
# need to point to that fork
# Start-Build
# - name: Checkout tools repo for GitHub Event Processor sources
# uses: actions/checkout@v3
# with:
# repository: Azure/azure-sdk-tools
# path: azure-sdk-tools
# ref: <refs/pull/<PRNumber>/merge> or <sha>
# - name: Build and install GitHubEventProcessor from sources
# run: |
# dotnet pack
# dotnet tool install --global --prerelease --add-source ../../../artifacts/packages/Debug Azure.Sdk.Tools.GitHubEventProcessor
# shell: bash
# working-directory: azure-sdk-tools/tools/github-event-processor/Azure.Sdk.Tools.GitHubEventProcessor
# End-Build
- name: Process Action Event
run: |
github-event-processor ${{ github.event_name }} ${{ github.event_path }}
shell: bash
env:
# This is a temporary secret generated by github
# https://docs.github.com/en/actions/security-guides/automatic-token-authentication#about-the-github_token-secret
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
LABEL_SERVICE_API_KEY: ${{ env.LABEL_SERVICE_API_KEY }}
- name: Archive github event data
uses: actions/upload-artifact@v4
if: always()
with:
name: event
path: ${{ github.event_path }}
|
