feat(analytics): demand-adaptive token-bucket flush governor #232
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: PR Target Branch Check | |
| on: | |
| pull_request: | |
| types: [opened, synchronize, reopened, edited, labeled, unlabeled] | |
| jobs: | |
| check-pr-target: | |
| name: Check PR targets a release branch | |
| runs-on: ubuntu-latest | |
| permissions: | |
| pull-requests: write | |
| issues: write | |
| steps: | |
| - name: Validate source branch | |
| env: | |
| HEAD_REF: ${{ github.head_ref }} | |
| BASE_REF: ${{ github.base_ref }} | |
| PR_NUMBER: ${{ github.event.pull_request.number }} | |
| GH_TOKEN: ${{ github.token }} | |
| REPO: ${{ github.repository }} | |
| LABEL: "needs: release branch" | |
| run: | | |
| # If PR doesn't target master, this check doesn't apply — clean up any stale label and pass | |
| if [[ "$BASE_REF" != "master" ]]; then | |
| echo "PR targets '$BASE_REF' (not master) — check not required." | |
| gh pr edit $PR_NUMBER --repo $REPO --remove-label "$LABEL" 2>/dev/null || true | |
| exit 0 | |
| fi | |
| if [[ "$HEAD_REF" == rel/* ]] || [[ "$HEAD_REF" == ci/* ]] || [[ "$HEAD_REF" == docs/* ]]; then | |
| echo "Branch '$HEAD_REF' is allowed to target master." | |
| gh pr edit $PR_NUMBER --repo $REPO --remove-label "$LABEL" 2>/dev/null || true | |
| exit 0 | |
| fi | |
| # Check for manual-merge override label | |
| HAS_OVERRIDE=$(gh api "repos/$REPO/issues/$PR_NUMBER/labels" \ | |
| --jq '.[] | select(.name == "manual-merge") | .name' | head -1) | |
| if [ -n "$HAS_OVERRIDE" ]; then | |
| echo "manual-merge label present — bypassing check. This PR will merge directly to master without a release branch." | |
| gh pr edit $PR_NUMBER --repo $REPO --remove-label "$LABEL" 2>/dev/null || true | |
| exit 0 | |
| fi | |
| # Post a comment only if one hasn't been posted already | |
| MARKER="<!-- pr-target-check-warning -->" | |
| EXISTING=$(gh api "repos/$REPO/issues/$PR_NUMBER/comments" \ | |
| --jq ".[] | select(.body | contains(\"$MARKER\")) | .id" | head -1) | |
| if [ -z "$EXISTING" ]; then | |
| gh api "repos/$REPO/issues/$PR_NUMBER/comments" \ | |
| --method POST \ | |
| --field body="${MARKER} | |
| **:warning: This PR needs to target a release branch before it can merge to \`master\`.** | |
| All changes — including hotfixes, dependency bumps, and feature work — should flow through a \`rel/*\` branch rather than merging directly to \`master\`. This keeps commit history clean and ensures every change is tied to a release. | |
| **To fix:** change the base branch of this PR to the appropriate \`rel/*\` branch when available. You can do this without closing the PR — use the base branch dropdown at the top of the PR. | |
| - If this is CI/tooling work, rename your branch with a \`ci/\` prefix and this check will pass | |
| - If this is documentation-only work, rename your branch with a \`docs/\` prefix and this check will pass | |
| > **Override:** In exceptional circumstances, a maintainer may add the \`manual-merge\` label to bypass this check and merge directly to \`master\`. This should be used sparingly — it skips the release branch entirely and may result in changes not being included in a release or loss of commit attribution if not handled carefully. | |
| _Enforced by the \`pr-target-check\` workflow._" | |
| fi | |
| gh pr edit $PR_NUMBER --repo $REPO --add-label "$LABEL" | |
| echo "Branch '$HEAD_REF' cannot target master directly. Must use rel/*, ci/*, or docs/*. Add the manual-merge label to override." | |
| exit 1 |