Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Label PRs with change type according to changelog #1769

Open
wants to merge 10 commits into
base: main
Choose a base branch
from
+84 −3
Open

Label PRs with change type according to changelog #1769

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
9024d13
label PRs with change type according to changelog
lmolkova Jan 19, 2025
330ae8a
up
lmolkova Jan 19, 2025
9d11eea
up
lmolkova Jan 19, 2025
a035046
remove unnecessary things
lmolkova Jan 20, 2025
3cce94c
pull_request -> pull_request_target
lmolkova Jan 20, 2025
d68b60d
only run on main
lmolkova Jan 20, 2025
bd485e0
don't modify contents
lmolkova Jan 20, 2025
a158f71
Update .github/workflows/prepare-new-pr.yml
lmolkova Jan 20, 2025
f36454a
break down into two jobs
lmolkova Jan 20, 2025
ef06314
debug
lmolkova Jan 21, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 0 additions & 3 deletions .github/workflows/prepare-new-issue.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,9 +10,6 @@ jobs:
steps:
- uses: actions/checkout@v4

- name: Run update permissions
run: chmod +x ./.github/workflows/scripts/prepare-new-issue.sh

- name: Run prepare-new-issue.sh
run: ./.github/workflows/scripts/prepare-new-issue.sh
env:
Expand Down
53 changes: 53 additions & 0 deletions .github/workflows/prepare-new-pr.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,53 @@
name: 'Prepare new PR'
on:
pull_request_target:
types: [opened, synchronize]
branches: [ 'main*' ]
paths: ['.chloggen/*']

jobs:
get-change-details:
runs-on: ubuntu-latest
permissions:
contents: read
if: ${{ github.repository_owner == 'open-telemetry' }}
outputs:
change_type: ${{ steps.get-change-type.outputs.change_type }}
steps:
- uses: actions/checkout@v4
with:
ref: ${{ github.head_ref }}
- id: get-change-type
name: Run get-change-type.sh
run: |
set +e
change_type=$(./.github/workflows/scripts/get-change-type.sh)
Copy link
Member

@trask trask Jan 21, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is in the danger zone because it's running this script from the PR branch under elevated permissions

I'm not sure it's vulnerable b/c this part isn't passing any env vars, but it's probably an area better to avoid (noticed it is passing GITHUB_TOKEN to the script)

I think a good way to mitigate this risk would be to checkout main, then checkout the PR branch in a subdir, e.g.

      - uses: actions/checkout@v4
      - uses: actions/checkout@v4
        with:
          ref: ${{ github.head_ref }}
          path: prbranch

then it's clearer we're only using the files from the prbranch, and avoids temptation to execute any scripts in it

I haven't used it before, but it looks like could even add a sparse-checkout: .chloggen to the checkout action to make it even clearer that we're using those files from the PR branch

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sorry, didn't see your most recent updates when I left this, looking...

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is still giving GITHUB_TOKEN to the script in the PR branch

if [ $? -ne 0 ]; then
change_type=""
fi
echo "change_type=$change_type" >> $GITHUB_OUTPUT
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
PR: ${{ github.event.pull_request.number }}

# get-change-details job needs to check out PR code to read changelog, but it only needs read permissions.
# prepare-new-pr job needs write permissions to set labels, but it runs on the main branch.
# this way we don't have write permissions while running PR code.
prepare-new-pr:
runs-on: ubuntu-latest
needs: get-change-details
permissions:
pull-requests: write
if: |
needs.get-change-details.outputs.change_type != '' &&
needs.get-change-details.outputs.change_type != null &&
github.repository_owner == 'open-telemetry'
steps:
- uses: actions/checkout@v4
lmolkova marked this conversation as resolved.
Show resolved Hide resolved

- name: Set label with change type on the PR
run: gh pr edit "${PR}" --add-label "${CHANGE_TYPE}" || true
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
PR: ${{ github.event.pull_request.number }}
CHANGE_TYPE: ${{ needs.get-change-details.outputs.change_type }}
31 changes: 31 additions & 0 deletions .github/workflows/scripts/get-change-type.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
#!/usr/bin/env bash
#
# Copyright The OpenTelemetry Authors
# SPDX-License-Identifier: Apache-2.0


# This script gets change type from chloggen file.
# If there are none or multiple changelog files, it will return 1.

if [ -z ${PR:-} ]; then
echo "PR number is required"
exit 1
fi

CHLOG="$(gh pr view $PR --json files --jq '.files.[].path | select (. | startswith(".chloggen/"))')"
# echo "Change log file(s): ${CHLOG}"

if [ -z "$CHLOG" ]; then
echo "No changelog found in the PR. Ignoring this change."
exit 1
fi

COUNT="$(echo "$CHLOG" | wc -l)"
if [ $COUNT -eq 1 ]; then
CHANGE_TYPE=$(awk -F': ' '/^change_type:/ {print $2}' $CHLOG | xargs)
echo $CHANGE_TYPE
exit 0
else
echo "Found multiple changelog files. Ignoring this change."
exit 1
fi
Loading