PR automations #8440
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Runs all automations related to PR events. | |
# | |
# See `issue_automations.yml` for the corresponding implementation for issues. | |
# | |
# The automations for PR events are a little more complex than those for issues | |
# because PRs are a less secure environment. To avoid leaking secrets, we need | |
# to run automations with code as it appears on `main`. | |
# | |
# `pull_request_target` serves this purpose but there is no corresponding | |
# `_target` version for `pull_request_review`. So we take this roundabout | |
# approach: | |
# | |
# This workflow waits for the `pr_automations_init.yml` workflow to complete and | |
# then uses its exports to run automations from main, with access to secrets. | |
# | |
# ...continued from `pr_automations_init.yml` | |
# | |
# 4. This workflow runs after `pr_automations_init.yml` workflow completes. | |
# 5. It downloads the artifacts from that workflow run. | |
# 6. It extracts the JSON file from the ZIP to `/tmp`. | |
# 7. It runs the automations as a script, which can access secrets. | |
name: PR automations | |
on: | |
workflow_run: | |
workflows: | |
- PR automations init | |
types: | |
- completed | |
jobs: | |
run: | |
name: Perform PR automations | |
runs-on: ubuntu-latest | |
# Prevent running this workflow on forks, it's unnecessary for external contributors | |
if: github.repository_owner == 'WordPress' | |
steps: | |
- name: Checkout repository | |
uses: actions/checkout@v4 | |
# This step was copied from the GitHub docs. | |
# Ref: https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#using-data-from-the-triggering-workflow | |
- name: Download artifact | |
uses: actions/github-script@v7 | |
with: | |
script: | | |
let fs = require('fs'); | |
let allArtifacts = await github.rest.actions.listWorkflowRunArtifacts({ | |
owner: context.repo.owner, | |
repo: context.repo.repo, | |
run_id: context.payload.workflow_run.id, | |
}); | |
let matchArtifacts = allArtifacts.data.artifacts.filter((artifact) => { | |
return ["event_info", "change_info"].includes(artifact.name) | |
}); | |
for (let matchArtifact of matchArtifacts) { | |
let download = await github.rest.actions.downloadArtifact({ | |
owner: context.repo.owner, | |
repo: context.repo.repo, | |
artifact_id: matchArtifact.id, | |
archive_format: 'zip', | |
}); | |
fs.writeFileSync( | |
`${process.env.GITHUB_WORKSPACE}/${matchArtifact.name}.zip`, | |
Buffer.from(download.data) | |
); | |
} | |
- name: Unzip artifacts | |
run: | | |
unzip event_info.zip | |
mv event.json /tmp/event.json | |
cat /tmp/event.json | |
unzip change_info.zip | |
mv change.json /tmp/change.json | |
cat /tmp/change.json | |
- name: Perform PR labelling | |
uses: actions/github-script@v7 | |
with: | |
github-token: ${{ secrets.ACCESS_TOKEN }} | |
script: | | |
const { main } = await import('${{ github.workspace }}/automations/js/src/label_pr.mjs') | |
await main(github, core) | |
- name: Perform PR automations | |
uses: actions/github-script@v7 | |
if: success() || failure() | |
with: | |
github-token: ${{ secrets.ACCESS_TOKEN }} | |
script: | | |
const { main } = await import('${{ github.workspace }}/automations/js/src/project_automation/prs.mjs') | |
await main(github, core) |