From f88ba369dd14f0abad24290a9d1542b373d29606 Mon Sep 17 00:00:00 2001 From: Wolfsblvt Date: Tue, 7 Oct 2025 15:55:15 +0200 Subject: [PATCH] Workflows: Replace ISSUES_BOT_TOKEN with GitHub App for labeling + 'against release' auto comment (#4621) * ci: replace ISSUES_BOT_TOKEN with GitHub App authentication for PR auto-labeling workflow * Update PR auto comments for target branch guidance Added note about changing target branch for PRs. --------- Co-authored-by: Cohee <18619528+Cohee1207@users.noreply.github.com> --- .github/pr-auto-comments.yml | 10 +++++++++ .github/workflows/pr-auto-manager.yml | 29 +++++++++++++++++++++++---- 2 files changed, 35 insertions(+), 4 deletions(-) diff --git a/.github/pr-auto-comments.yml b/.github/pr-auto-comments.yml index bdb3e8022..ee62d41fe 100644 --- a/.github/pr-auto-comments.yml +++ b/.github/pr-auto-comments.yml @@ -41,6 +41,16 @@ labels: 🔬 This PR needs testing! Any contributor can test and leave reviews, so feel free to help us out! + - name: ❗ Against Release Branch + labeled: + pr: + body: > + ❗ This PR is against the `release` branch. + + Please make sure this was intended, and you did not want to target the `staging` branch. Only hotfixes, readme changes and similar should be made against `release`. + + You can change the target branch **without recreating the PR** by clicking "Edit" at the top of the page. + - name: 🟥 ⬤⬤⬤⬤⬤ labeled: pr: diff --git a/.github/workflows/pr-auto-manager.yml b/.github/workflows/pr-auto-manager.yml index 146ec0e2d..cfc0627b3 100644 --- a/.github/workflows/pr-auto-manager.yml +++ b/.github/workflows/pr-auto-manager.yml @@ -12,6 +12,25 @@ permissions: pull-requests: write jobs: + app-auth: + name: 🔑 Mint App token + runs-on: ubuntu-latest + if: always() + + outputs: + app_token: ${{ steps.app.outputs.token }} + + steps: + - name: Create GitHub App Token + # Create a GitHub App token + # https://github.com/marketplace/actions/create-github-app-token + uses: actions/create-github-app-token@v2 + id: app + with: + app-id: ${{ vars.ST_BOT_APP_ID }} + private-key: ${{ secrets.ST_BOT_SECRET }} + owner: ${{ github.repository_owner }} + run-eslint: name: ✅ Check ESLint on PR runs-on: ubuntu-latest @@ -59,7 +78,7 @@ jobs: label-by-size: name: 🏷️ Label PR by Size # This job should run after all others, to prevent possible concurrency issues - needs: [label-by-branches, label-by-files, remove-stale-label, check-merge-blocking-labels, write-auto-comments] + needs: [app-auth, label-by-branches, label-by-files, remove-stale-label, check-merge-blocking-labels, write-auto-comments] runs-on: ubuntu-latest # Only needs to run when code is changed if: always() && (github.event.action == 'opened' || github.event.action == 'synchronize') @@ -76,7 +95,7 @@ jobs: # https://github.com/marketplace/actions/pull-request-size-labeler uses: codelytv/pr-size-labeler@v1.10.2 with: - GITHUB_TOKEN: ${{ secrets.ISSUES_BOT_TOKEN }} + GITHUB_TOKEN: ${{ needs.app-auth.outputs.app_token }} xs_label: '🟩 ⬤○○○○' xs_max_size: '20' s_label: '🟩 ⬤⬤○○○' @@ -93,6 +112,7 @@ jobs: label-by-branches: name: 🏷️ Label PR by Branches + needs: [app-auth] runs-on: ubuntu-latest # Only label once when PR is created or when base branch is changed, to allow manual label removal if: github.event.action == 'opened' || (github.event.action == 'synchronize' && github.event.changes.base) @@ -109,10 +129,11 @@ jobs: uses: actions/labeler@v5.0.0 with: configuration-path: .github/pr-auto-labels-by-branch.yml - repo-token: ${{ secrets.ISSUES_BOT_TOKEN }} + repo-token: ${{ needs.app-auth.outputs.app_token }} label-by-files: name: 🏷️ Label PR by Files + needs: [app-auth] runs-on: ubuntu-latest # Only needs to run when code is changed if: github.event.action == 'opened' || github.event.action == 'synchronize' @@ -129,7 +150,7 @@ jobs: uses: actions/labeler@v5.0.0 with: configuration-path: .github/pr-auto-labels-by-files.yml - repo-token: ${{ secrets.ISSUES_BOT_TOKEN }} + repo-token: ${{ needs.app-auth.outputs.app_token }} remove-stale-label: name: 🗑️ Remove Stale Label on Comment