Clarify that jobs in a workflow can compromise each other only on self-hosted runners #23564
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: OS Ready for review | |
# **What it does**: Adds pull requests and issues in the docs repository to the docs-content review board when the "waiting for review" label is added | |
# **Why we have it**: So that contributors in the OS repo can easily get reviews from the docs-content team, and so that writers can see when a PR is ready for review | |
# **Who does it impact**: Writers working in the docs repository | |
on: | |
# Needed in lieu of `pull_request` so that PRs from a fork can be triaged to the proper project board. | |
pull_request_target: | |
types: [labeled] | |
issues: | |
types: [labeled] | |
permissions: | |
contents: read | |
jobs: | |
request_doc_review: | |
name: Request a review from the docs-content team | |
if: github.event.label.name == 'waiting for review' && github.repository == 'github/docs' | |
runs-on: ubuntu-latest | |
steps: | |
- name: Check out repo content | |
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
- name: Check if this run was triggered by a member of the docs team | |
uses: actions/github-script@e69ef5462fd455e02edcaf4dd7708eda96b9eda0 | |
id: triggered-by-member | |
with: | |
github-token: ${{secrets.DOCS_BOT_PAT_WORKFLOW_READORG}} | |
result-encoding: string | |
script: | | |
const triggerer_login = context.payload.sender.login | |
const teamMembers = await github.request( | |
`/orgs/github/teams/docs/members?per_page=100` | |
) | |
const logins = teamMembers.data.map(member => member.login) | |
if (logins.includes(triggerer_login)) { | |
console.log(`This workflow was triggered by ${triggerer_login} (on the docs team).`) | |
return 'true' | |
} | |
console.log(`This workflow was triggered by ${triggerer_login} (not on the docs team), so no action will be taken.`) | |
return 'false' | |
- name: Exit if not triggered by a docs team member | |
if: steps.triggered-by-member.outputs.result == 'false' | |
run: | | |
echo Aborting. This workflow must be triggered by a member of the docs team. | |
exit 1 | |
- name: Setup Node.js | |
uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2 | |
with: | |
node-version-file: 'package.json' | |
cache: npm | |
- name: Install dependencies | |
run: npm install @octokit/graphql | |
- name: Run script | |
run: | | |
node src/workflows/ready-for-docs-review.js | |
env: | |
TOKEN: ${{ secrets.DOCS_BOT_PAT_WRITEORG_PROJECT }} | |
PROJECT_NUMBER: 2936 | |
ORGANIZATION: 'github' | |
ITEM_NODE_ID: ${{ github.event.pull_request.node_id || github.event.issue.node_id }} | |
AUTHOR_LOGIN: ${{ github.event.pull_request.user.login || github.event.issue.user.login }} | |
REPO: ${{ github.repository }} | |
- uses: ./.github/actions/slack-alert | |
if: ${{ failure() && github.event_name != 'pull_request_target' }} | |
with: | |
slack_channel_id: ${{ secrets.DOCS_ALERTS_SLACK_CHANNEL_ID }} | |
slack_token: ${{ secrets.SLACK_DOCS_BOT_TOKEN }} |