cilium

1
name: PR from External Contribution Detector
2

3
on:
4
  pull_request_target:
5
    types:
6
      - opened
7
      - reopened
8

9
jobs:
10
  labeler:
11
    if: |
12
      (
13
        (github.event.pull_request.author_association != 'OWNER') &&
14
        (github.event.pull_request.author_association != 'COLLABORATOR') &&
15
        (github.event.pull_request.author_association != 'MEMBER')
16
      )
17
    runs-on: ubuntu-latest
18
    name: Label PRs
19
    permissions:
20
      pull-requests: write
21
    steps:
22
        # Detect if the secret 'CHECK_TEAM_ORG_APP_ID' is set. If it's not set, don't
23
        # bother running this GH workflow.
24
      - name: Check if CHECK_TEAM_ORG_APP_ID is set in github secrets
25
        id: check_secret
26
        run: |
27
          echo "is_CHECK_TEAM_ORG_APP_ID_set: ${{ secrets.CHECK_TEAM_ORG_APP_ID != '' }}"
28
          echo is_CHECK_TEAM_ORG_APP_ID_set="${{ secrets.CHECK_TEAM_ORG_APP_ID != '' }}" >> $GITHUB_OUTPUT
29

30
      - name: Get token
31
        # Get a token with the read:org permissions so that the GH action
32
        # can read the team membership for a user. We need to do this over a
33
        # GH app because GH actions don't have support for these type of
34
        # permissions.
35
        if: ${{ steps.check_secret.outputs.is_CHECK_TEAM_ORG_APP_ID_set == 'true' }}
36
        id: get_token
37
        uses: cilium/actions-app-token@61a6271ce92ba02f49bf81c755685d59fb25a59a # v0.21.1
38
        with:
39
          APP_PEM: ${{ secrets.CHECK_TEAM_ORG_PEM }}
40
          APP_ID: ${{ secrets.CHECK_TEAM_ORG_APP_ID }}
41

42
      - name: Check author association
43
        if: ${{ steps.check_secret.outputs.is_CHECK_TEAM_ORG_APP_ID_set == 'true' }}
44
        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
45
        id: author_association
46
        # https://docs.github.com/en/rest/orgs/members?apiVersion=2022-11-28#check-organization-membership-for-a-user
47
        with:
48
          github-token: ${{ steps.get_token.outputs.app_token }}
49
          script: |
50
            try {
51
              const result = await github.rest.orgs.checkMembershipForUser({
52
                org: "${{ github.repository_owner }}",
53
                username: "${{github.event.pull_request.user.login}}",
54
              })
55
              return result.status == 204;
56
            } catch {
57
              return false;
58
            }
59

60
      - name: Print author association
61
        if: ${{ steps.check_secret.outputs.is_CHECK_TEAM_ORG_APP_ID_set == 'true' }}
62
        run: |
63
          echo author_association_from_event=${{ github.event.pull_request.author_association }}
64
          echo author_association_from_api=${{ steps.author_association.outputs.result }}
65

66
      - name: Set label
67
        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
68
        if: ${{ steps.check_secret.outputs.is_CHECK_TEAM_ORG_APP_ID_set == 'true' && steps.author_association.outputs.result != 'true' }}
69
        with:
70
          script: |
71
            github.rest.issues.addLabels({
72
              issue_number: context.issue.number,
73
              owner: context.repo.owner,
74
              repo: context.repo.repo,
75
              labels: ["kind/community-contribution"]
76
            })
77