chore: pr workflows#727
Conversation
There was a problem hiding this comment.
Pull request overview
This PR introduces a comprehensive GitHub Actions automation suite to standardize and streamline pull request workflows. It adds automated labeling, conventional commit validation, review management, and release note generation to improve development velocity and code quality.
Key Changes:
- Automated PR labeling based on file changes and conventional commit types
- PR title and description validation with conventional commit enforcement
- Review-based label management (LGTM) and community contributor identification
- Automatic branch cleanup after merge
Reviewed changes
Copilot reviewed 10 out of 10 changed files in this pull request and generated 8 comments.
Show a summary per file
| File | Description |
|---|---|
.github/workflows/pr-checks.yml |
Validates PR titles follow conventional commits format using semantic-pull-request action |
.github/workflows/labeler.yml |
Automatically applies labels based on changed file paths |
.github/workflows/conventional-labels.yml |
Multi-stage validation: PR title, description, and automatic labeling by commit type |
.github/workflows/community-label.yml |
Tags PRs from external contributors with 'community' label |
.github/workflows/auto-delete-branch.yml |
Cleans up merged feature branches automatically |
.github/workflows/add-labels.yml |
Manages 'lgtm' label based on review approvals/changes requested |
.github/semantic.yml |
Configuration for semantic PR validation bot |
.github/release.yml |
Defines changelog categories for auto-generated release notes |
.github/labeler.yml |
Maps file path patterns to labels (frontend, backend, docs, etc.) |
.github/changes-filter.yaml |
Defines path filters for conditional CI triggering with dorny/paths-filter |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| console.log(`Skipping deletion of protected branch: ${branchName}`); | ||
| return; | ||
| } | ||
|
|
There was a problem hiding this comment.
The workflow only checks if the branch name is in the protected branches list, but it doesn't verify if the branch is from a fork. For PRs from forks, the branch deletion will fail because the workflow doesn't have permission to delete branches in the fork repository. Consider adding a check to skip deletion for fork PRs: if (context.payload.pull_request.head.repo.fork) { console.log('Skipping deletion for fork PR'); return; }
| // Skip deletion for branches coming from forked repositories | |
| const headRepo = context.payload.pull_request.head.repo; | |
| if (headRepo && headRepo.fork) { | |
| console.log('Skipping deletion for branch from forked repository'); | |
| return; | |
| } |
There was a problem hiding this comment.
Good suggestion
Co-authored-by: Copilot <[email protected]>
Co-authored-by: Copilot <[email protected]>
msmygit
left a comment
There was a problem hiding this comment.
I've left comments to pin down at major.minor versions, otherwise, LGTM
Co-authored-by: Madhavan <[email protected]>
Co-authored-by: Madhavan <[email protected]>
Co-authored-by: Madhavan <[email protected]>
Co-authored-by: Madhavan <[email protected]>
Co-authored-by: Madhavan <[email protected]>
Co-authored-by: Madhavan <[email protected]>
Co-authored-by: Madhavan <[email protected]>
Co-authored-by: Madhavan <[email protected]>
Co-authored-by: Copilot <[email protected]>
| console.log('PR description validation passed!'); | ||
|
|
||
| label: | ||
| needs: [validate-pr-title] |
There was a problem hiding this comment.
(j) [Minor] Label job not gated on description validation
- If validate-pr-description fails, the label is still applied (i.e. PRs with bad descriptions still get auto-labeled).
- Note: This is a Minor severity issue. Please feel free to ignore or optionally implement
| steps: | ||
| - name: Validate PR title follows Conventional Commits | ||
| id: validate | ||
| uses: Namchee/[email protected] |
There was a problem hiding this comment.
(k) [Minor] Security: Actions should be pinned to a commit SHA rather than a tag
- For workflows using pull_request_target (which runs with elevated base-repo permissions), actions should ideally be pinned to commit SHAs rather than tags to prevent supply-chain attacks:
- e.g.
# Before (tag):
- uses: bcoe/conventional-release-labels@v1
# After (SHA-pinned):
- uses: bcoe/conventional-release-labels@7b0c7d4b6c5b1e8a5c3c6d3e1b1a4f4b8a7e5c1d # v1.0.0- This is a best practice
- Same issue for
bcoe/conventional-release-labels@v1 - Same issue for
actions/github-script@v8. - Note: This is a Minor severity issue. Please feel free to ignore or optionally implement
| steps: | ||
| - name: Add community label | ||
| if: github.event.pull_request.author_association != 'MEMBER' && github.event.pull_request.author_association != 'OWNER' && github.event.pull_request.author_association != 'COLLABORATOR' | ||
| uses: actions/[email protected] |
There was a problem hiding this comment.
(l) [Minor] Security: Actions should be pinned to a commit SHA rather than a tag
- For workflows using pull_request_target (which runs with elevated base-repo permissions), actions should ideally be pinned to commit SHAs rather than tags to prevent supply-chain attacks:
- Note: This is a Minor severity issue. Please feel free to ignore or optionally implement
| issues: write | ||
| steps: | ||
| - name: Manage LGTM Review Label | ||
| uses: actions/[email protected] |
There was a problem hiding this comment.
(m) [Minor] Security: Actions should be pinned to a commit SHA rather than a tag
- For workflows using pull_request_target (which runs with elevated base-repo permissions), actions should ideally be pinned to commit SHAs rather than tags to prevent supply-chain attacks:
- Note: This is a Minor severity issue. Please feel free to ignore or optionally implement
Add guards so PR validation jobs only run for pull_request_target events. The validate-pr-title and validate-pr-description jobs now include `if: github.event_name == 'pull_request_target'`, and the Label PR job's condition was updated to `if: github.event_name == 'pull_request_target' && github.event.pull_request.user.type != 'Bot'`. This prevents duplicate or unintended runs on standard pull_request events and preserves the existing check to skip bot-created PRs.
Delete .github/semantic.yml and remove the validate-pr-title job from the conventional-labels workflow. Update the label job to depend on validate-pr-description instead of the removed title validation. This simplifies the PR validation flow by removing enforced Conventional Commit title checks and associated config.
Switch the workflow trigger from pull_request to pull_request_target so the action has write permissions to add labels on PRs from forks. Added inline note warning not to check out or run untrusted PR code because this workflow runs with base-repo permissions. Trigger types remain [opened, synchronize].
Update .github/workflows/add-labels.yml to listen for pull_request_review 'dismissed' events and treat a 'dismissed' review like 'changes_requested'. This ensures the LGTM label is removed when a review is dismissed and keeps PR labels in sync with review state.
Wrap the GitHub Actions github-script in a try/catch to make label management more resilient. Adds explicit handling for 404 (log and skip) and calls core.setFailed for other errors, plus clearer logs when adding/removing the 'lgtm' label. Changes are in .github/workflows/add-labels.yml to improve error reporting and avoid noisy failures when labels are concurrently removed.
Delete the redundant `description` fields for changelog categories in .github/release.yml to simplify the config. This relies on titles and labels for category identification and should not affect release generation behavior. Also trims a trailing blank line.
Replace floating action versions with exact commit SHAs in workflow files to ensure reproducible runs. Updated .github/workflows/community-label.yml and conventional-labels.yml to use a specific actions/github-script SHA (kept version comment), replaced bcoe/conventional-release-labels@v1 with its SHA, and updated actions/labeler reference in .github/workflows/labeler.yml to a specific SHA.
mpawlow
left a comment
There was a problem hiding this comment.
Code Review 2
- ✅ Approved / LGTM
- Everything looks good with the latest changes on the PR with the exception of the following issue: (a) [Major] merge_group event breaks two jobs
Co-authored-by: Copilot <[email protected]>
This pull request introduces a comprehensive set of GitHub workflow and configuration files to automate and standardize pull request labeling, review, and release processes. The main changes include adding PR label automation, enforcing conventional commit standards, managing labels based on reviews, and improving release note generation. These enhancements aim to streamline CI/CD, improve code quality, and ensure consistent project management.
Pull Request and Label Automation:
.github/labeler.ymland.github/workflows/labeler.ymlto automatically apply labels to PRs based on changed files, improving triage and review efficiency. [1] [2].github/changes-filter.yamlto define file path filters for categorizing changes by area (e.g., python, frontend, docs, docker, etc.), supporting advanced automation and reporting.Conventional Commit and PR Standards:
.github/workflows/conventional-labels.ymlto enforce conventional commit standards on PR titles and descriptions, validate PR descriptions for meaningful content, and automatically label PRs according to commit types..github/semantic.ymland.github/workflows/pr-checks.ymlto further enforce semantic PR titles and provide user guidance on commit message conventions. [1] [2]Release and Changelog Automation:
.github/release.ymlto categorize and generate changelogs automatically based on PR labels, making release notes more informative and structured.Review and Community Label Management:
.github/workflows/add-labels.ymlto add or remove an "lgtm" label based on PR review status, improving visibility of approved changes..github/workflows/community-label.ymlto automatically label PRs from external contributors as "community" for easier identification.Branch Management:
.github/workflows/auto-delete-branch.ymlto automatically delete merged branches (excluding protected branches), keeping the repository clean.Configuration Files
1.
.github/semantic.ymlPurpose: Configures the semantic PR bot to validate PR titles follow Conventional Commits format.
Benefits:
2.
.github/labeler.ymlPurpose: Configuration for
actions/labeler- maps file paths to labels.frontend/**frontendsrc/**backenddocs/**documentation.github/**citests/**testsDockerfile*,docker-compose*.ymldockerBenefits:
3.
.github/release.ymlPurpose: Configures GitHub's auto-generated release notes to group PRs by category.
breakingenhancementfix,bugdocumentationchore,refactor,style,performance,buildtestBenefits:
4.
.github/changes-filter.yamlPurpose: Configuration for
dorny/paths-filteraction - defines path groups for conditional CI triggers.Benefits:
Workflow Files
5.
.github/workflows/pr-checks.ymlPurpose: Validates PR titles follow Conventional Commits using
amannn/action-semantic-pull-request@v5.Allowed prefixes:
feat:,fix:,docs:,style:,refactor:,perf:,test:,build:,ci:,chore:,revert:Benefits:
6.
.github/workflows/conventional-labels.ymlPurpose: Two-part validation + labeling:
feat:→enhancement,fix:→bug, etc.)Benefits:
7.
.github/workflows/labeler.ymlPurpose: Auto-labels PRs based on which files were changed (uses
.github/labeler.ymlconfig).Benefits:
frontend,backend,docker, etc.8.
.github/workflows/add-labels.ymlPurpose: Manages the
lgtm(Looks Good To Me) label based on review status:lgtmlabellgtmlabelBenefits:
9.
.github/workflows/community-label.ymlPurpose: Auto-adds
communitylabel to PRs from external contributors (non-members, non-collaborators).Benefits:
10.
.github/workflows/auto-delete-branch.ymlPurpose: Automatically deletes feature branches after PRs are merged.
Benefits:
main,master,developfrom accidental deletion