feea8a7611
This PR switches four lightweight workflows from `pull_request` to `pull_request_target` to stop GitHub from requiring manual approval when the `mathlib-lean-pr-testing[bot]` app triggers label events (e.g. adding `builds-mathlib`). Since the bot never lands commits on master, it is perpetually treated as a "first-time contributor" and every `pull_request` event it triggers requires approval. `pull_request_target` events always run without approval because they execute trusted code from the base branch. This is safe for all four workflows because none check out or execute code from the PR branch — they only read labels, PR body, and file lists from the event payload and API: - `awaiting-mathlib.yml` — checks label combinations - `awaiting-manual.yml` — checks label combinations - `pr-body.yml` — checks PR body formatting - `check-stdlib-flags.yml` — checks if stdlib_flags.h was modified via API Also adds explicit `permissions: pull-requests: read` to each workflow as a least-privilege hardening measure, since `pull_request_target` has access to secrets. Addresses the issue reported by Sebastian: https://lean-fro.zulipchat.com/#narrow/channel/398861-general/topic/mathlib.20pr-testing.20breakage.3F/near/575084348 🤖 Prepared with Claude Code --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
60 lines
2.1 KiB
YAML
60 lines
2.1 KiB
YAML
name: Check stdlib_flags.h modifications
|
|
|
|
on:
|
|
pull_request_target:
|
|
types: [opened, synchronize, reopened, labeled, unlabeled]
|
|
|
|
permissions:
|
|
pull-requests: read
|
|
|
|
jobs:
|
|
check-stdlib-flags:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Check if stdlib_flags.h was modified
|
|
uses: actions/github-script@v8
|
|
with:
|
|
script: |
|
|
// Get the list of files changed in this PR
|
|
const files = await github.paginate(
|
|
github.rest.pulls.listFiles,
|
|
{
|
|
owner: context.repo.owner,
|
|
repo: context.repo.repo,
|
|
pull_number: context.payload.pull_request.number,
|
|
}
|
|
);
|
|
|
|
// Check if stdlib_flags.h was modified
|
|
const stdlibFlagsModified = files.some(file =>
|
|
file.filename === 'src/stdlib_flags.h'
|
|
);
|
|
|
|
if (stdlibFlagsModified) {
|
|
console.log('src/stdlib_flags.h was modified in this PR');
|
|
|
|
// Check if the unlock label is present
|
|
|
|
const { data: pr } = await github.rest.pulls.get({
|
|
owner: context.repo.owner,
|
|
repo: context.repo.repo,
|
|
pull_number: context.issue.number,
|
|
});
|
|
|
|
const hasUnlockLabel = pr.labels.some(label =>
|
|
label.name === 'unlock-upstream-stdlib-flags'
|
|
);
|
|
|
|
if (!hasUnlockLabel) {
|
|
core.setFailed(
|
|
'src/stdlib_flags.h was modified. This is likely a mistake. If you would like to change ' +
|
|
'bootstrapping settings or request a stage0 update, you should modify stage0/src/stdlib_flags.h. ' +
|
|
'If you really want to change src/stdlib_flags.h (which should be extremely rare), set the ' +
|
|
'unlock-upstream-stdlib-flags label.'
|
|
);
|
|
} else {
|
|
console.log('Found unlock-upstream-stdlib-flags');
|
|
}
|
|
} else {
|
|
console.log('src/stdlib_flags.h was not modified');
|
|
}
|