From c3efb25c32bc19ecedac8ac5cecac7b40d48d135 Mon Sep 17 00:00:00 2001 From: David Arthur Date: Wed, 20 Nov 2024 08:31:18 -0500 Subject: [PATCH 01/21] add triage workflow --- .github/workflows/pr-update.yml | 16 +++++++++++++++- .github/workflows/stale.yml | 16 ++++++++++++++++ 2 files changed, 31 insertions(+), 1 deletion(-) diff --git a/.github/workflows/pr-update.yml b/.github/workflows/pr-update.yml index 31e0038705499..db91e05e6d93d 100644 --- a/.github/workflows/pr-update.yml +++ b/.github/workflows/pr-update.yml @@ -25,9 +25,11 @@ on: # * https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/ pull_request_target: types: [opened, reopened, synchronize] + branches: + - trunk jobs: - label_PRs: + add-labeler-labels: name: Labeler permissions: contents: read @@ -45,3 +47,15 @@ jobs: PR_NUM: ${{github.event.number}} run: | ./.github/scripts/label_small.sh + + add-triage-label: + if: github.event.action == 'opened' + runs-on: ubuntu-latest + permissions: + pull-requests: write + steps: + - run: gh pr edit "$NUMBER" --add-label triage + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GH_REPO: ${{ github.repository }} + NUMBER: ${{ github.event.pull_request.number }} \ No newline at end of file diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index 9382d4173e94c..6ceb074f62c10 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -35,6 +35,22 @@ permissions: pull-requests: write jobs: + needs-attention: + runs-on: ubuntu-latest + steps: + - uses: actions/stale@v9 + with: + debug-only: ${{ inputs.dryRun || false }} + operations-per-run: ${{ inputs.operationsPerRun || 500 }} + days-before-stale: 7 + days-before-close: -1 + ignore-pr-updates: true + only-pr-labels: 'triage' + stale-pr-label: 'needs-attention' + stale-pr-message: | + A label of 'needs-attention' was automatically added to this PR in order to raise the + attention of the committers. Once this issue has been triaged, the `triage` label + should be removed to prevent this automation from happening again. stale: runs-on: ubuntu-latest steps: From 003b14ec776cc0677de7bdb6423d28e9d52660fe Mon Sep 17 00:00:00 2001 From: David Arthur Date: Wed, 20 Nov 2024 08:39:18 -0500 Subject: [PATCH 02/21] print env --- .github/workflows/pr-update.yml | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/.github/workflows/pr-update.yml b/.github/workflows/pr-update.yml index db91e05e6d93d..5e14f61f70a8a 100644 --- a/.github/workflows/pr-update.yml +++ b/.github/workflows/pr-update.yml @@ -54,6 +54,17 @@ jobs: permissions: pull-requests: write steps: + - name: Env + run: printenv + env: + GITHUB_CONTEXT: ${{ toJson(github) }} + - run: | + USERS=$(gh api \ + -H "Accept: application/vnd.github+json" \ + -H "X-GitHub-Api-Version: 2022-11-28" \ + /repos/apache/kafka/contributors | jq -r '.[].login') + echo $USERS + - run: gh pr edit "$NUMBER" --add-label triage env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} From 60df0cddf24b39544b73844ac6bf439bf47eea28 Mon Sep 17 00:00:00 2001 From: David Arthur Date: Wed, 20 Nov 2024 08:41:12 -0500 Subject: [PATCH 03/21] wip --- .github/workflows/pr-update.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pr-update.yml b/.github/workflows/pr-update.yml index 5e14f61f70a8a..05b7f2fbf1bdd 100644 --- a/.github/workflows/pr-update.yml +++ b/.github/workflows/pr-update.yml @@ -49,7 +49,7 @@ jobs: ./.github/scripts/label_small.sh add-triage-label: - if: github.event.action == 'opened' + if: github.event.action == 'opened' || github.event.action == 'reopened' runs-on: ubuntu-latest permissions: pull-requests: write From a771e759d0bb73edeb0b338e15dad93dad14a91c Mon Sep 17 00:00:00 2001 From: David Arthur Date: Wed, 20 Nov 2024 11:09:09 -0500 Subject: [PATCH 04/21] add committer check --- .github/workflows/pr-update.yml | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/.github/workflows/pr-update.yml b/.github/workflows/pr-update.yml index 05b7f2fbf1bdd..32936cab12e32 100644 --- a/.github/workflows/pr-update.yml +++ b/.github/workflows/pr-update.yml @@ -58,14 +58,20 @@ jobs: run: printenv env: GITHUB_CONTEXT: ${{ toJson(github) }} - - run: | - USERS=$(gh api \ + - name: Check PR Author # The step sets output "exitcode" to 0 iff the PR is from a committer. + id: check-author + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + PR_USER: ${{ github.event.pull_request.user.login }} + run: | + gh api \ -H "Accept: application/vnd.github+json" \ -H "X-GitHub-Api-Version: 2022-11-28" \ - /repos/apache/kafka/contributors | jq -r '.[].login') - echo $USERS - - - run: gh pr edit "$NUMBER" --add-label triage + /repos/apache/kafka/contributors | jq -e '.[] | select(.login == "$PR_USER") + exitcode="$?" + echo "exitcode=$exitcode" >> $GITHUB_OUTPUT + - if: steps.check-author.outputs.exitcode != 0 + run: gh pr edit "$NUMBER" --add-label triage env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} GH_REPO: ${{ github.repository }} From 0350b04cc366d03b445c3ea75247c3219a6f324a Mon Sep 17 00:00:00 2001 From: David Arthur Date: Wed, 20 Nov 2024 11:10:44 -0500 Subject: [PATCH 05/21] fix jq --- .github/workflows/pr-update.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pr-update.yml b/.github/workflows/pr-update.yml index 32936cab12e32..82aa0b6936d46 100644 --- a/.github/workflows/pr-update.yml +++ b/.github/workflows/pr-update.yml @@ -67,7 +67,7 @@ jobs: gh api \ -H "Accept: application/vnd.github+json" \ -H "X-GitHub-Api-Version: 2022-11-28" \ - /repos/apache/kafka/contributors | jq -e '.[] | select(.login == "$PR_USER") + /repos/apache/kafka/contributors | jq -e '.[] | select(.login == "$PR_USER")' exitcode="$?" echo "exitcode=$exitcode" >> $GITHUB_OUTPUT - if: steps.check-author.outputs.exitcode != 0 From fae42580697ac451245639b118fcec57ce126c43 Mon Sep 17 00:00:00 2001 From: David Arthur Date: Wed, 20 Nov 2024 11:11:58 -0500 Subject: [PATCH 06/21] dont exit bash early --- .github/workflows/pr-update.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/pr-update.yml b/.github/workflows/pr-update.yml index 82aa0b6936d46..ecc03ea11ed56 100644 --- a/.github/workflows/pr-update.yml +++ b/.github/workflows/pr-update.yml @@ -64,6 +64,7 @@ jobs: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} PR_USER: ${{ github.event.pull_request.user.login }} run: | + set +e gh api \ -H "Accept: application/vnd.github+json" \ -H "X-GitHub-Api-Version: 2022-11-28" \ From 8961db824f66cf2ac0ef7b094c265cb902638db1 Mon Sep 17 00:00:00 2001 From: David Arthur Date: Wed, 20 Nov 2024 11:16:08 -0500 Subject: [PATCH 07/21] wip --- .github/workflows/pr-update.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/pr-update.yml b/.github/workflows/pr-update.yml index ecc03ea11ed56..d8cd3ac91c20c 100644 --- a/.github/workflows/pr-update.yml +++ b/.github/workflows/pr-update.yml @@ -65,6 +65,10 @@ jobs: PR_USER: ${{ github.event.pull_request.user.login }} run: | set +e + gh api \ + -H "Accept: application/vnd.github+json" \ + -H "X-GitHub-Api-Version: 2022-11-28" \ + /repos/apache/kafka/contributors gh api \ -H "Accept: application/vnd.github+json" \ -H "X-GitHub-Api-Version: 2022-11-28" \ From 9fe6121550771b6c4cb9ea3587402e5cd5649579 Mon Sep 17 00:00:00 2001 From: David Arthur Date: Wed, 20 Nov 2024 11:25:21 -0500 Subject: [PATCH 08/21] different approach --- .github/workflows/pr-update.yml | 17 ++++++++--------- 1 file changed, 8 insertions(+), 9 deletions(-) diff --git a/.github/workflows/pr-update.yml b/.github/workflows/pr-update.yml index d8cd3ac91c20c..f76a62561cf15 100644 --- a/.github/workflows/pr-update.yml +++ b/.github/workflows/pr-update.yml @@ -65,17 +65,16 @@ jobs: PR_USER: ${{ github.event.pull_request.user.login }} run: | set +e - gh api \ + FOUND_CONTRIBUTOR=$(gh api \ -H "Accept: application/vnd.github+json" \ -H "X-GitHub-Api-Version: 2022-11-28" \ - /repos/apache/kafka/contributors - gh api \ - -H "Accept: application/vnd.github+json" \ - -H "X-GitHub-Api-Version: 2022-11-28" \ - /repos/apache/kafka/contributors | jq -e '.[] | select(.login == "$PR_USER")' - exitcode="$?" - echo "exitcode=$exitcode" >> $GITHUB_OUTPUT - - if: steps.check-author.outputs.exitcode != 0 + /repos/apache/kafka/contributors --jq '.[] | select(.login == "$PR_USER") | .login') + if [ "FOUND_CONTRIBUTOR" == "$PR_USER" ]; then + echo "contributor=1" >> $GITHUB_OUTPUT + else + echo "contributor=0" >> $GITHUB_OUTPUT + fi + - if: steps.check-author.outputs.contributor == 0 run: gh pr edit "$NUMBER" --add-label triage env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} From 883f103fb8a7b6bf895d0f1a2c4a1d830070a4d5 Mon Sep 17 00:00:00 2001 From: David Arthur Date: Wed, 20 Nov 2024 11:27:46 -0500 Subject: [PATCH 09/21] wip --- .github/workflows/pr-update.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/pr-update.yml b/.github/workflows/pr-update.yml index f76a62561cf15..097ab9fb568cf 100644 --- a/.github/workflows/pr-update.yml +++ b/.github/workflows/pr-update.yml @@ -50,6 +50,7 @@ jobs: add-triage-label: if: github.event.action == 'opened' || github.event.action == 'reopened' + name: Add triage label runs-on: ubuntu-latest permissions: pull-requests: write @@ -65,11 +66,12 @@ jobs: PR_USER: ${{ github.event.pull_request.user.login }} run: | set +e + echo $PR_USER FOUND_CONTRIBUTOR=$(gh api \ -H "Accept: application/vnd.github+json" \ -H "X-GitHub-Api-Version: 2022-11-28" \ /repos/apache/kafka/contributors --jq '.[] | select(.login == "$PR_USER") | .login') - if [ "FOUND_CONTRIBUTOR" == "$PR_USER" ]; then + if [ "$FOUND_CONTRIBUTOR" == "$PR_USER" ]; then echo "contributor=1" >> $GITHUB_OUTPUT else echo "contributor=0" >> $GITHUB_OUTPUT From 35a47bcadc02e8233cfea5dc83ed80bd7a7a35e4 Mon Sep 17 00:00:00 2001 From: David Arthur Date: Wed, 20 Nov 2024 11:29:06 -0500 Subject: [PATCH 10/21] wip --- .github/workflows/pr-update.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/pr-update.yml b/.github/workflows/pr-update.yml index 097ab9fb568cf..6274ccf22fb11 100644 --- a/.github/workflows/pr-update.yml +++ b/.github/workflows/pr-update.yml @@ -71,6 +71,7 @@ jobs: -H "Accept: application/vnd.github+json" \ -H "X-GitHub-Api-Version: 2022-11-28" \ /repos/apache/kafka/contributors --jq '.[] | select(.login == "$PR_USER") | .login') + echo $FOUND_CONTRIBUTOR if [ "$FOUND_CONTRIBUTOR" == "$PR_USER" ]; then echo "contributor=1" >> $GITHUB_OUTPUT else From cfec4b2bb4c7e8053713228c810e1d6b99bf32af Mon Sep 17 00:00:00 2001 From: David Arthur Date: Wed, 20 Nov 2024 11:36:04 -0500 Subject: [PATCH 11/21] hardcode login --- .github/workflows/pr-update.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pr-update.yml b/.github/workflows/pr-update.yml index 6274ccf22fb11..0297ce617013e 100644 --- a/.github/workflows/pr-update.yml +++ b/.github/workflows/pr-update.yml @@ -70,7 +70,7 @@ jobs: FOUND_CONTRIBUTOR=$(gh api \ -H "Accept: application/vnd.github+json" \ -H "X-GitHub-Api-Version: 2022-11-28" \ - /repos/apache/kafka/contributors --jq '.[] | select(.login == "$PR_USER") | .login') + /repos/apache/kafka/contributors --jq '.[] | select(.login == "mumrah") | .login') echo $FOUND_CONTRIBUTOR if [ "$FOUND_CONTRIBUTOR" == "$PR_USER" ]; then echo "contributor=1" >> $GITHUB_OUTPUT From 32112908de55ba46d636ce6cc815bb41b98cb9c2 Mon Sep 17 00:00:00 2001 From: David Arthur Date: Wed, 20 Nov 2024 11:37:37 -0500 Subject: [PATCH 12/21] try env without quotes --- .github/workflows/pr-update.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pr-update.yml b/.github/workflows/pr-update.yml index 0297ce617013e..cafb49e65c23b 100644 --- a/.github/workflows/pr-update.yml +++ b/.github/workflows/pr-update.yml @@ -70,7 +70,7 @@ jobs: FOUND_CONTRIBUTOR=$(gh api \ -H "Accept: application/vnd.github+json" \ -H "X-GitHub-Api-Version: 2022-11-28" \ - /repos/apache/kafka/contributors --jq '.[] | select(.login == "mumrah") | .login') + /repos/apache/kafka/contributors --jq '.[] | select(.login == $PR_USER) | .login') echo $FOUND_CONTRIBUTOR if [ "$FOUND_CONTRIBUTOR" == "$PR_USER" ]; then echo "contributor=1" >> $GITHUB_OUTPUT From 22c5b264d8612dd1dbc1bd131a490776ea4abeed Mon Sep 17 00:00:00 2001 From: David Arthur Date: Wed, 20 Nov 2024 11:40:56 -0500 Subject: [PATCH 13/21] try different quoting --- .github/workflows/pr-update.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pr-update.yml b/.github/workflows/pr-update.yml index cafb49e65c23b..f7871cf20db92 100644 --- a/.github/workflows/pr-update.yml +++ b/.github/workflows/pr-update.yml @@ -70,7 +70,7 @@ jobs: FOUND_CONTRIBUTOR=$(gh api \ -H "Accept: application/vnd.github+json" \ -H "X-GitHub-Api-Version: 2022-11-28" \ - /repos/apache/kafka/contributors --jq '.[] | select(.login == $PR_USER) | .login') + /repos/apache/kafka/contributors --jq '.[] | select(.login == "'"$PR_USER"'") | .login') echo $FOUND_CONTRIBUTOR if [ "$FOUND_CONTRIBUTOR" == "$PR_USER" ]; then echo "contributor=1" >> $GITHUB_OUTPUT From 34eecff902e32495dcb34d9909e83a16b8a93c79 Mon Sep 17 00:00:00 2001 From: David Arthur Date: Wed, 20 Nov 2024 11:43:14 -0500 Subject: [PATCH 14/21] add some output --- .github/workflows/pr-update.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/pr-update.yml b/.github/workflows/pr-update.yml index f7871cf20db92..c2dd71ff1284b 100644 --- a/.github/workflows/pr-update.yml +++ b/.github/workflows/pr-update.yml @@ -66,15 +66,16 @@ jobs: PR_USER: ${{ github.event.pull_request.user.login }} run: | set +e - echo $PR_USER + echo "Checking repo contributors for PR author: $PR_USER" FOUND_CONTRIBUTOR=$(gh api \ -H "Accept: application/vnd.github+json" \ -H "X-GitHub-Api-Version: 2022-11-28" \ /repos/apache/kafka/contributors --jq '.[] | select(.login == "'"$PR_USER"'") | .login') - echo $FOUND_CONTRIBUTOR if [ "$FOUND_CONTRIBUTOR" == "$PR_USER" ]; then + echo "Found contributor $FOUND_CONTRIBUTOR that matches PR author $PR_USER" echo "contributor=1" >> $GITHUB_OUTPUT else + echo "Did not find contributor for $PR_USER" echo "contributor=0" >> $GITHUB_OUTPUT fi - if: steps.check-author.outputs.contributor == 0 From 00b96f71d23b80c45283f4fba92158540d5c95a4 Mon Sep 17 00:00:00 2001 From: David Arthur Date: Wed, 20 Nov 2024 13:01:44 -0500 Subject: [PATCH 15/21] formatting --- .github/workflows/pr-update.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/pr-update.yml b/.github/workflows/pr-update.yml index c2dd71ff1284b..88a7fb78bf79c 100644 --- a/.github/workflows/pr-update.yml +++ b/.github/workflows/pr-update.yml @@ -66,7 +66,7 @@ jobs: PR_USER: ${{ github.event.pull_request.user.login }} run: | set +e - echo "Checking repo contributors for PR author: $PR_USER" + echo "Checking repo contributors for PR author $PR_USER" FOUND_CONTRIBUTOR=$(gh api \ -H "Accept: application/vnd.github+json" \ -H "X-GitHub-Api-Version: 2022-11-28" \ @@ -79,8 +79,8 @@ jobs: echo "contributor=0" >> $GITHUB_OUTPUT fi - if: steps.check-author.outputs.contributor == 0 - run: gh pr edit "$NUMBER" --add-label triage env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} GH_REPO: ${{ github.repository }} - NUMBER: ${{ github.event.pull_request.number }} \ No newline at end of file + NUMBER: ${{ github.event.pull_request.number }} + run: gh pr edit "$NUMBER" --add-label triage From b954ae05879b0cda67609e82b2d66edf65ee83a5 Mon Sep 17 00:00:00 2001 From: David Arthur Date: Fri, 22 Nov 2024 14:42:34 -0500 Subject: [PATCH 16/21] Use workflow_run and script action to remove triage label following a review --- .github/workflows/pr-reviewed-trigger.yml | 42 ++++++++++++++++++ .github/workflows/pr-reviewed.yml | 53 +++++++++++++++++++++++ .github/workflows/pr-update.yml | 15 ++++--- 3 files changed, 103 insertions(+), 7 deletions(-) create mode 100644 .github/workflows/pr-reviewed-trigger.yml create mode 100644 .github/workflows/pr-reviewed.yml diff --git a/.github/workflows/pr-reviewed-trigger.yml b/.github/workflows/pr-reviewed-trigger.yml new file mode 100644 index 0000000000000..f089176ff4b23 --- /dev/null +++ b/.github/workflows/pr-reviewed-trigger.yml @@ -0,0 +1,42 @@ +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +name: Pull Request Reviewed + +on: + pull_request_review: + types: + - submitted + +jobs: + # This job is a workaround for the fact that pull_request_review lacks necessary permissions to modify PRs. + # Also, there is no pull_request_target analog to pull_request_review. The approach taken here is taken from + # https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/. + pr-review-trigger: + name: Reviewed + runs-on: ubuntu-latest + steps: + - name: Env + run: printenv + env: + GITHUB_CONTEXT: ${{ toJson(github) }} + - name: Capture PR Number + run: + echo ${{ github.event.pull_request.number }} >> pr-number.txt + - name: Archive Event + uses: actions/upload-artifact@v4 + with: + name: pr-number.txt + path: pr-number.txt diff --git a/.github/workflows/pr-reviewed.yml b/.github/workflows/pr-reviewed.yml new file mode 100644 index 0000000000000..2f6cae8a4fe97 --- /dev/null +++ b/.github/workflows/pr-reviewed.yml @@ -0,0 +1,53 @@ +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +name: Remove Triage Label + +on: + workflow_run: + workflows: [Pull Request Reviewed] + types: + - completed + +jobs: + # This job runs with elevated permissions and the ability to modify pull requests. The steps taken here + # should be limited to updating labels and adding comments to PRs. This approach is taken from + # https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/. + remove-triage: + if: ${{ github.event.workflow_run.conclusion == 'success' }} + runs-on: ubuntu-latest + steps: + - name: Env + run: printenv + env: + GITHUB_CONTEXT: ${{ toJson(github) }} + - uses: actions/download-artifact@v4 + with: + github-token: ${{ github.token }} + run-id: ${{ github.event.workflow_run.id }} + name: pr-number.txt + - name: Remove label + uses: actions/github-script@v7 + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + script: | + var fs = require('fs'); + var pr_number = Number(fs.readFileSync('./pr-number.txt')); + await github.rest.issues.removeLabel({ + owner: context.repo.owner, + repo: context.repo.repo, + issue_number: pr_number, + name: 'triage' + }); diff --git a/.github/workflows/pr-update.yml b/.github/workflows/pr-update.yml index 88a7fb78bf79c..ff9b6edb767a2 100644 --- a/.github/workflows/pr-update.yml +++ b/.github/workflows/pr-update.yml @@ -66,17 +66,18 @@ jobs: PR_USER: ${{ github.event.pull_request.user.login }} run: | set +e - echo "Checking repo contributors for PR author $PR_USER" - FOUND_CONTRIBUTOR=$(gh api \ + echo "Checking apache org members for PR author $PR_USER" + gh api --verbose \ -H "Accept: application/vnd.github+json" \ -H "X-GitHub-Api-Version: 2022-11-28" \ - /repos/apache/kafka/contributors --jq '.[] | select(.login == "'"$PR_USER"'") | .login') - if [ "$FOUND_CONTRIBUTOR" == "$PR_USER" ]; then - echo "Found contributor $FOUND_CONTRIBUTOR that matches PR author $PR_USER" - echo "contributor=1" >> $GITHUB_OUTPUT - else + "/orgs/apache/members/$PR_USER" + exitcode=$? + if [ $exitcode -ne 0 ]; then echo "Did not find contributor for $PR_USER" echo "contributor=0" >> $GITHUB_OUTPUT + else + echo "Found contributor $FOUND_CONTRIBUTOR that matches PR author $PR_USER" + echo "contributor=1" >> $GITHUB_OUTPUT fi - if: steps.check-author.outputs.contributor == 0 env: From 59fd6933a173def8f43d7254741751e481e25124 Mon Sep 17 00:00:00 2001 From: David Arthur Date: Wed, 4 Dec 2024 13:07:03 -0500 Subject: [PATCH 17/21] try different api call --- .github/workflows/pr-update.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pr-update.yml b/.github/workflows/pr-update.yml index ff9b6edb767a2..1c24e2c6581c9 100644 --- a/.github/workflows/pr-update.yml +++ b/.github/workflows/pr-update.yml @@ -70,7 +70,7 @@ jobs: gh api --verbose \ -H "Accept: application/vnd.github+json" \ -H "X-GitHub-Api-Version: 2022-11-28" \ - "/orgs/apache/members/$PR_USER" + "/orgs/apache/teams/kafka-committers/memberships/$PR_USER" exitcode=$? if [ $exitcode -ne 0 ]; then echo "Did not find contributor for $PR_USER" From 090088ad7aacd5cc3cdbde735d8c7eb4e29fb51f Mon Sep 17 00:00:00 2001 From: David Arthur Date: Wed, 4 Dec 2024 13:22:30 -0500 Subject: [PATCH 18/21] another way --- .github/workflows/pr-update.yml | 22 +--------------------- 1 file changed, 1 insertion(+), 21 deletions(-) diff --git a/.github/workflows/pr-update.yml b/.github/workflows/pr-update.yml index 1c24e2c6581c9..70a0bcd4df58b 100644 --- a/.github/workflows/pr-update.yml +++ b/.github/workflows/pr-update.yml @@ -59,27 +59,7 @@ jobs: run: printenv env: GITHUB_CONTEXT: ${{ toJson(github) }} - - name: Check PR Author # The step sets output "exitcode" to 0 iff the PR is from a committer. - id: check-author - env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - PR_USER: ${{ github.event.pull_request.user.login }} - run: | - set +e - echo "Checking apache org members for PR author $PR_USER" - gh api --verbose \ - -H "Accept: application/vnd.github+json" \ - -H "X-GitHub-Api-Version: 2022-11-28" \ - "/orgs/apache/teams/kafka-committers/memberships/$PR_USER" - exitcode=$? - if [ $exitcode -ne 0 ]; then - echo "Did not find contributor for $PR_USER" - echo "contributor=0" >> $GITHUB_OUTPUT - else - echo "Found contributor $FOUND_CONTRIBUTOR that matches PR author $PR_USER" - echo "contributor=1" >> $GITHUB_OUTPUT - fi - - if: steps.check-author.outputs.contributor == 0 + - if: github.event.pull_request.author_association != 'MEMBER' env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} GH_REPO: ${{ github.repository }} From 935bd124d14ea5a7f4eaeca6fec30459bf4b038f Mon Sep 17 00:00:00 2001 From: David Arthur Date: Wed, 4 Dec 2024 13:25:01 -0500 Subject: [PATCH 19/21] add owner --- .github/workflows/pr-update.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pr-update.yml b/.github/workflows/pr-update.yml index 70a0bcd4df58b..c17391fffded7 100644 --- a/.github/workflows/pr-update.yml +++ b/.github/workflows/pr-update.yml @@ -59,7 +59,7 @@ jobs: run: printenv env: GITHUB_CONTEXT: ${{ toJson(github) }} - - if: github.event.pull_request.author_association != 'MEMBER' + - if: github.event.pull_request.author_association != 'MEMBER' && github.event.pull_request.author_association != 'OWNER' env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} GH_REPO: ${{ github.repository }} From 2833884b5ef1f2c758ef29936efeb0525c02f6a3 Mon Sep 17 00:00:00 2001 From: David Arthur Date: Wed, 4 Dec 2024 13:32:05 -0500 Subject: [PATCH 20/21] add comment, clean up if --- .github/workflows/pr-update.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/pr-update.yml b/.github/workflows/pr-update.yml index c17391fffded7..e1cd7214d6c36 100644 --- a/.github/workflows/pr-update.yml +++ b/.github/workflows/pr-update.yml @@ -59,7 +59,10 @@ jobs: run: printenv env: GITHUB_CONTEXT: ${{ toJson(github) }} - - if: github.event.pull_request.author_association != 'MEMBER' && github.event.pull_request.author_association != 'OWNER' + # If the PR is from a non-committer, add triage label + - if: | + github.event.pull_request.author_association != 'MEMBER' && + github.event.pull_request.author_association != 'OWNER' env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} GH_REPO: ${{ github.repository }} From ecd5eab3de7294c818b7b6d060e3322906b2cff2 Mon Sep 17 00:00:00 2001 From: David Arthur Date: Tue, 10 Dec 2024 12:02:20 -0500 Subject: [PATCH 21/21] add some GHA docs --- .github/workflows/README.md | 48 +++++++++++++++++++++++++++++++++++++ 1 file changed, 48 insertions(+) diff --git a/.github/workflows/README.md b/.github/workflows/README.md index f921ad78393ca..26f22cb27414d 100644 --- a/.github/workflows/README.md +++ b/.github/workflows/README.md @@ -51,6 +51,54 @@ using this for very simple tasks such as applying labels or adding comments to P _We must never run the untrusted PR code in the elevated `pull_request_target` context_ +## Our Workflows + +### Trunk Build + +The [ci.yml](ci.yml) is run when commits are pushed to trunk. This calls into [build.yml](build.yml) +to run our main build. In the trunk build, we do not read from the Gradle cache, +but we do write to it. Also, the test catalog is only updated from trunk builds. + +### PR Build + +Similar to trunk, this workflow starts in [ci.yml](ci.yml) and calls into [build.yml](build.yml). +Unlike trunk, the PR builds _will_ utilize the Gradle cache. + +### PR Triage + +In order to get the attention of committers, we have a triage workflow for Pull Requests +opened by non-committers. This workflow consists of three files: + +* [pr-update.yml](pr-update.yml) When a PR is created add the `triage` label if the PR + was opened by a non-committer. +* [pr-reviewed-trigger.yml](pr-reviewed-trigger.yml) Runs when any PR is reviewed. + Used as a trigger for the next workflow +* [pr-reviewed.yml](pr-reviewed.yml) Remove the `triage` label after a PR has been reviewed + +_The pr-update.yml workflow includes pull_request_target!_ + +### CI Approved + +Due to a combination of GitHub security and ASF's policy, we required explicit +approval of workflows on PRs submitted by non-committers (and non-contributors). +To simply this process, we have a `ci-approved` label which automatically approves +these workflows. + +There are two files related to this workflow: + +* [pr-labeled.yml](pr-labeled.yml) approves a pending approval for PRs that have +been labeled with `ci-approved` +* [ci-requested.yml](ci-requested.yml) approves future CI requests automatically +if the PR has the `ci-approved` label + +_The pr-labeled.yml workflow includes pull_request_target!_ + +### Stale PRs + +This one is straightforward. Using the "actions/stale" GitHub Action, we automatically +label and eventually close PRs which have not had activity for some time. See the +[stale.yml](stale.yml) workflow file for specifics. + ## GitHub Actions Quirks ### Composite Actions