63 lines
1.9 KiB
YAML
63 lines
1.9 KiB
YAML
name: Mark PR as draft when changes are requested
|
|
|
|
# pull_request_target is safe here because:
|
|
# 1. Does not use any external actions; only uses the GitHub CLI via run commands
|
|
# 2. Has minimal permissions
|
|
# 3. Doesn't checkout or execute any untrusted code from PRs
|
|
# 4. Only adds/removes labels or changes the draft status
|
|
on: # zizmor: ignore[dangerous-triggers]
|
|
pull_request_target:
|
|
types:
|
|
- review_submitted
|
|
- labeled
|
|
- ready_for_review
|
|
|
|
permissions: {}
|
|
|
|
jobs:
|
|
mark-draft:
|
|
runs-on: ubuntu-latest
|
|
permissions:
|
|
pull-requests: write
|
|
if: |
|
|
(
|
|
github.event.action == 'review_submitted' &&
|
|
github.event.review.state == 'changes_requested'
|
|
) || (
|
|
github.event.action == 'labeled' &&
|
|
github.event.label.name == 'pr:please address review comments'
|
|
)
|
|
steps:
|
|
- name: Add label on requested changes
|
|
if: github.event.review.state == 'changes_requested'
|
|
env:
|
|
GH_TOKEN: ${{ github.token }}
|
|
run: |
|
|
gh issue edit "${{ github.event.pull_request.number }}" \
|
|
--repo "${{ github.repository }}" \
|
|
--add-label "pr:please address review comments"
|
|
|
|
- name: Mark PR as draft
|
|
env:
|
|
GH_TOKEN: ${{ github.token }}
|
|
run: |
|
|
gh pr ready "${{ github.event.pull_request.number }}" --undo || true
|
|
|
|
ready-for-review:
|
|
runs-on: ubuntu-latest
|
|
permissions:
|
|
pull-requests: write
|
|
if: github.event.action == 'ready_for_review'
|
|
steps:
|
|
- name: Update labels for review
|
|
env:
|
|
GH_TOKEN: ${{ github.token }}
|
|
run: |
|
|
gh issue edit "${{ github.event.pull_request.number }}" \
|
|
--repo "${{ github.repository }}" \
|
|
--remove-label "pr:please address review comments" || true
|
|
|
|
gh issue edit "${{ github.event.pull_request.number }}" \
|
|
--repo "${{ github.repository }}" \
|
|
--add-label "pr:needs review"
|