pyrox.dev
1# WARNING:
2# When extending this action, be aware that $GITHUB_TOKEN allows some write
3# access to the GitHub API. This means that it should not evaluate user input in
4# a way that allows code injection.
5
6name: Labels
7
8on:
9 schedule:
10 - cron: '07,17,27,37,47,57 * * * *'
11 workflow_call:
12 inputs:
13 headBranch:
14 required: true
15 type: string
16 secrets:
17 NIXPKGS_CI_APP_PRIVATE_KEY:
18 required: true
19 workflow_dispatch:
20
21concurrency:
22 # This explicitly avoids using `run_id` for the concurrency key to make sure that only
23 # *one* scheduled run can run at a time.
24 group: labels-${{ github.workflow }}-${{ github.event_name }}-${{ github.event.pull_request.number }}
25 # PR-triggered runs will be cancelled, but scheduled runs will be queued.
26 cancel-in-progress: ${{ github.event_name != 'schedule' }}
27
28# This is used as fallback without app only.
29# This happens when testing in forks without setting up that app.
30permissions:
31 issues: write
32 pull-requests: write
33
34defaults:
35 run:
36 shell: bash
37
38jobs:
39 update:
40 runs-on: ubuntu-24.04-arm
41 if: github.event_name != 'schedule' || github.repository_owner == 'NixOS'
42 steps:
43 - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
44 with:
45 sparse-checkout: |
46 ci/github-script
47
48 - name: Install dependencies
49 run: npm install @actions/artifact bottleneck
50
51 # Use a GitHub App, because it has much higher rate limits: 12,500 instead of 5,000 req / hour.
52 - uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2.1.4
53 if: github.event_name != 'pull_request' && vars.NIXPKGS_CI_APP_ID
54 id: app-token
55 with:
56 app-id: ${{ vars.NIXPKGS_CI_APP_ID }}
57 private-key: ${{ secrets.NIXPKGS_CI_APP_PRIVATE_KEY }}
58 permission-issues: write
59 permission-pull-requests: write
60
61 - name: Log current API rate limits
62 env:
63 GH_TOKEN: ${{ steps.app-token.outputs.token || github.token }}
64 run: gh api /rate_limit | jq
65
66 - name: Labels from API data and Eval results
67 uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
68 with:
69 github-token: ${{ steps.app-token.outputs.token || github.token }}
70 retries: 3
71 script: |
72 require('./ci/github-script/labels.js')({
73 github,
74 context,
75 core,
76 dry: context.eventName == 'pull_request'
77 })
78
79 - name: Log current API rate limits
80 env:
81 GH_TOKEN: ${{ steps.app-token.outputs.token || github.token }}
82 run: gh api /rate_limit | jq
83
84 - uses: actions/labeler@634933edcd8ababfe52f92936142cc22ac488b1b # v6.0.1
85 name: Labels from touched files
86 if: |
87 github.event_name == 'pull_request_target' &&
88 !contains(fromJSON(inputs.headBranch).type, 'development')
89 with:
90 repo-token: ${{ steps.app-token.outputs.token }}
91 configuration-path: .github/labeler.yml # default
92 sync-labels: true
93
94 - uses: actions/labeler@634933edcd8ababfe52f92936142cc22ac488b1b # v6.0.1
95 name: Labels from touched files (no sync)
96 if: |
97 github.event_name == 'pull_request_target' &&
98 !contains(fromJSON(inputs.headBranch).type, 'development')
99 with:
100 repo-token: ${{ steps.app-token.outputs.token }}
101 configuration-path: .github/labeler-no-sync.yml
102 sync-labels: false
103
104 - uses: actions/labeler@634933edcd8ababfe52f92936142cc22ac488b1b # v6.0.1
105 name: Labels from touched files (development branches)
106 # Development branches like staging-next, haskell-updates and python-updates get special labels.
107 # This is to avoid the mass of labels there, which is mostly useless - and really annoying for
108 # the backport labels.
109 if: |
110 github.event_name == 'pull_request_target' &&
111 contains(fromJSON(inputs.headBranch).type, 'development')
112 with:
113 repo-token: ${{ steps.app-token.outputs.token }}
114 configuration-path: .github/labeler-development-branches.yml
115 sync-labels: true
116
117 - name: Log current API rate limits
118 env:
119 GH_TOKEN: ${{ steps.app-token.outputs.token || github.token }}
120 run: gh api /rate_limit | jq