70bf21e064
Deploy (to testing) and Test Playground Preview Worker / Deploy Playground Preview Worker (testing) (push) Has been skipped
Deploy Workers Shared Staging / Deploy Workers Shared Staging (push) Failing after 0s
Prerelease / build (push) Has been skipped
Handle Changesets / Handle Changesets (push) Has been cancelled
Semgrep OSS scan / semgrep-oss (push) Has been cancelled
68 lines
2.8 KiB
YAML
68 lines
2.8 KiB
YAML
name: "Rerun Code Owners (Privileged)"
|
|
|
|
# Privileged companion to rerun-codeowners.yml.
|
|
#
|
|
# Runs after the "Rerun Code Owners" trigger workflow completes. The
|
|
# workflow_run event always executes from the default branch with full
|
|
# permissions — this is what allows us to call the Actions API even when the
|
|
# original event (pull_request_review) came from a fork PR, where the
|
|
# GITHUB_TOKEN would otherwise be read-only.
|
|
#
|
|
# The PR head SHA is read from github.event.workflow_run.head_sha — this is
|
|
# GitHub-provided metadata and cannot be manipulated by fork code (unlike
|
|
# the previous artifact-based approach).
|
|
#
|
|
# Strategy: CHECK-NAME LOOKUP
|
|
# ----------------------------
|
|
# The codeowners.yml workflow uses pull_request_target, which means its
|
|
# workflow runs are indexed by the BASE branch SHA (e.g. main), NOT the PR
|
|
# head SHA. So we cannot find the run via:
|
|
#
|
|
# GET /actions/workflows/codeowners.yml/runs?head_sha=<PR_HEAD>
|
|
#
|
|
# That query returns nothing because the run's head_sha is main's HEAD.
|
|
#
|
|
# However, the codeowners-plus action creates its CHECK RUN on the PR head
|
|
# commit (so the status appears on the PR). The check-runs API lets us look
|
|
# up by check name + commit SHA:
|
|
#
|
|
# GET /commits/<PR_HEAD>/check-runs?check_name=Run+Codeowners+Plus
|
|
#
|
|
# From the check run's details_url we extract the Actions job ID, then
|
|
# re-run that specific job.
|
|
on:
|
|
workflow_run: # zizmor: ignore[dangerous-triggers] privileged companion reruns a fixed default-branch workflow using GitHub-provided workflow_run metadata only
|
|
workflows: ["Rerun Code Owners"]
|
|
types: [completed]
|
|
|
|
permissions: {}
|
|
|
|
jobs:
|
|
rerun-codeowners:
|
|
name: "Rerun Codeowners Plus"
|
|
runs-on: ubuntu-latest
|
|
if: github.event.workflow_run.conclusion == 'success'
|
|
permissions:
|
|
actions: write
|
|
checks: read
|
|
steps:
|
|
- name: Re-run Codeowners check
|
|
env:
|
|
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
HEAD_SHA: ${{ github.event.workflow_run.head_sha }}
|
|
REPO: ${{ github.repository }}
|
|
run: |
|
|
# Find the "Run Codeowners Plus" check run on the PR head commit
|
|
# and extract the Actions job ID from the check run's details URL
|
|
# (the last path segment before any query string).
|
|
job_id=$(gh api "repos/${REPO}/commits/${HEAD_SHA}/check-runs?check_name=Run+Codeowners+Plus" \
|
|
--jq '(.check_runs[0].details_url // "") | split("/") | last | split("?") | first' || true)
|
|
|
|
if [ -n "$job_id" ]; then
|
|
gh api "repos/${REPO}/actions/jobs/${job_id}/rerun" --method POST \
|
|
|| echo "::warning::Job ${job_id} may already be running"
|
|
echo "Re-triggered 'Run Codeowners Plus' (job ${job_id})"
|
|
else
|
|
echo "::warning::Check 'Run Codeowners Plus' not found for SHA ${HEAD_SHA}"
|
|
fi
|