feat(replay-vision): API validation + lens_result row column #25331
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Auto Assign Reviewers | |
| # NOTE: We use `pull_request_target` here but this is extremely dangerous. | |
| # DO NOT ATTEMPT TO MODIFY THIS FILE WITHOUT VALIDATING WITH THE SECURITY TEAM. | |
| # | |
| # We need to make sure we're never running untrusted code here since this workflow | |
| # skips any GitHub security checks and any permissions - it'll always run when a user opens a PR against our repo. | |
| # To make it risk free we need to GUARANTEE we're only ever running code that is trusted - i.e. from our master branch. | |
| # | |
| # This has the small downside that changes to CODEOWNERS will not be reflected in here until we merge it to master, | |
| # which means testing this workflow is slightly less convenient but that's well worth it. | |
| on: | |
| pull_request_target: | |
| # Only opened or when clicking ready otherwise you can never remove the reviewers | |
| types: [opened, ready_for_review] | |
| permissions: | |
| contents: read | |
| jobs: | |
| assign-reviewers: | |
| runs-on: 'ubuntu-22.04' | |
| timeout-minutes: 5 | |
| if: github.event.pull_request.draft == false | |
| steps: | |
| # GitHub app token is required because GITHUB_TOKEN can't assign team members as reviewers (requires org-level permission) | |
| - name: Get app token | |
| id: app-token | |
| uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1 | |
| with: | |
| client-id: ${{ secrets.GH_APP_POSTHOG_ASSIGN_REVIEWERS_APP_ID }} | |
| private-key: ${{ secrets.GH_APP_POSTHOG_ASSIGN_REVIEWERS_PRIVATE_KEY }} | |
| - name: Checkout master branch | |
| uses: actions/checkout@v6 | |
| with: | |
| token: ${{ steps.app-token.outputs.token }} | |
| # this value MUST be set to `master` to avoid executing untrusted code. | |
| # we execute assign-reviewers.js below from whatever branch is checked out | |
| ref: master | |
| - name: Setup Node.js | |
| uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0 | |
| with: | |
| node-version-file: .nvmrc | |
| # Script runs from master branch (protected), but can diff against PR branch | |
| - name: Run reviewer assignment script | |
| env: | |
| GITHUB_TOKEN: ${{ steps.app-token.outputs.token }} | |
| PR_NUMBER: ${{ github.event.pull_request.number }} | |
| GITHUB_REPOSITORY: ${{ github.repository }} | |
| BASE_SHA: ${{ github.event.pull_request.base.sha }} | |
| HEAD_SHA: ${{ github.event.pull_request.head.sha }} | |
| run: | | |
| node .github/scripts/assign-reviewers.js |