Not Enough Licenses™ #25
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Auto Label and Merge PRs | |
| on: | |
| pull_request_target: # Necessary for WRITE permissions (labels, merge, close) | |
| types: [opened, synchronize, reopened] | |
| permissions: | |
| contents: read # Required for actions/checkout@v4 and reading history | |
| pull-requests: write # Required for labels, merge, and close | |
| jobs: | |
| label-and-process: | |
| runs-on: ubuntu-latest | |
| steps: | |
| # ✅ 1. Checkout the BASE (safe) code | |
| # This step sets the local repository to the state of the target branch (e.g., main). | |
| - name: Checkout Base Code | |
| uses: actions/checkout@v4 | |
| with: | |
| ref: ${{ github.event.pull_request.base.sha }} | |
| fetch-depth: 0 | |
| # ✅ 2. Fetch the HEAD (PR changes) securely for comparison | |
| # This brings the PR's commits into the local history for comparison. | |
| - name: Fetch PR Changes for Comparison | |
| run: | | |
| git fetch origin ${{ github.event.pull_request.head.sha }} | |
| # ✅ 3. Add 'automerge' label | |
| - name: Add 'automerge' label | |
| uses: actions-ecosystem/action-add-labels@v1 | |
| with: | |
| github_token: ${{ secrets.GITHUB_TOKEN }} # Default token works for labeling | |
| labels: automerge | |
| # ✅ 4. Check if PR touches restricted files (Robust Logic) | |
| - name: Check changed files | |
| id: file-check | |
| run: | | |
| # Use git log --not to reliably list files introduced in the PR branch. | |
| changed_files=$(git log --no-merges --name-only --format="" ${{ github.event.pull_request.base.sha }}..${{ github.event.pull_request.head.sha }} | sort -u) | |
| echo "Changed Files in PR: $changed_files" | |
| # Define the restricted file pattern | |
| RESTRICTED_PATTERN='^(\.github\/|README\.md$)' | |
| # Check if any changed file matches the restricted pattern | |
| if echo "$changed_files" | grep -qE "$RESTRICTED_PATTERN"; then | |
| echo "::notice ::Restricted files modified — skipping merge and closing PR." | |
| echo "skip_merge=true" >> $GITHUB_OUTPUT | |
| else | |
| echo "skip_merge=false" >> $GITHUB_OUTPUT | |
| fi | |
| # ✅ 5. Merge the PR if it's safe (Uses PAT for permissions) | |
| - name: Merge PR | |
| if: steps.file-check.outputs.skip_merge == 'false' | |
| env: | |
| # REQUIRED FIX: Use the powerful PAT for merging external PRs | |
| GH_TOKEN: ${{ secrets.GH_PAT_MERGE }} | |
| run: | | |
| gh pr merge ${{ github.event.pull_request.number }} --merge --auto | |
| # ❌ 6. Remove label if merge is skipped | |
| - name: Remove 'automerge' label | |
| if: steps.file-check.outputs.skip_merge == 'true' | |
| uses: actions-ecosystem/action-remove-labels@v1 | |
| with: | |
| github_token: ${{ secrets.GITHUB_TOKEN }} | |
| labels: automerge | |
| # 💬 7. Comment reason | |
| - name: Comment on PR | |
| if: steps.file-check.outputs.skip_merge == 'true' | |
| uses: peter-evans/create-or-update-comment@v4 | |
| with: | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| issue-number: ${{ github.event.pull_request.number }} | |
| body: | | |
| ⚠️ This pull request was automatically closed because it modifies restricted files. | |
| You **may not** change `README.md` because people need to know what this repo is alr? | |
| # 🛑 8. Close PR (Uses PAT for permissions) | |
| - name: Close PR | |
| if: steps.file-check.outputs.skip_merge == 'true' | |
| env: | |
| # REQUIRED FIX: Use the powerful PAT for closing external PRs | |
| GH_TOKEN: ${{ secrets.GH_PAT_MERGE }} | |
| run: | | |
| gh pr close ${{ github.event.pull_request.number }} |