lib-cloudflare-workers-sdk/.github/workflows/codeowners.yml at main · code/lib-cloudflare-workers-sdk · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
name: "Code Owners"

# Re-evaluate when PRs are opened/updated.
# When reviews are submitted/dismissed, the separate rerun-codeowners.yml workflow
# re-runs this check (rather than creating a second check context).
# Using pull_request_target (not pull_request) so the workflow has access to secrets
# for fork PRs. This is safe because:
#   - The checkout is the BASE branch (ownership rules come from the protected branch)
#   - PR head commits are fetched as git objects only (never checked out or executed)
#   - The action only reads config files and calls the GitHub API
on:
  pull_request_target: # zizmor: ignore[dangerous-triggers] checks base branch ownership rules and fetches PR head for diff computation without executing PR code
    types: [opened, reopened, synchronize, ready_for_review, labeled, unlabeled]

concurrency:
  group: codeowners-${{ github.event.pull_request.number }}
  cancel-in-progress: ${{ github.head_ref != 'changeset-release/main' }}

permissions:
  contents: read
  issues: write
  pull-requests: write

jobs:
  codeowners:
    name: "Run Codeowners Plus"
    runs-on: ubuntu-latest
    # Each step is skipped when:
    #   - the PR head is the changeset-release branch (auto-generated changeset PRs), or
    #   - the PR base is not `main` (PRs against feature branches don't need formal review).
    # Note: if we ever introduce a maintenance branch (e.g. a long-lived release branch),
    # it would need to be added to the base branch allowlist below.
    steps:
      - name: "Checkout Base Branch"
        if: github.event.pull_request.head.ref != 'changeset-release/main' && github.event.pull_request.base.ref == 'main'
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
          fetch-depth: 0
          persist-credentials: false

      - name: "Fetch PR Head (for diff computation)"
        if: github.event.pull_request.head.ref != 'changeset-release/main' && github.event.pull_request.base.ref == 'main'
        run: git fetch origin +refs/pull/${{ github.event.pull_request.number }}/head
        env:
          GITHUB_TOKEN: "${{ secrets.CODEOWNERS_GITHUB_PAT }}"

      - name: "Codeowners Plus"
        if: github.event.pull_request.head.ref != 'changeset-release/main' && github.event.pull_request.base.ref == 'main'
        uses: multimediallc/codeowners-plus@ff02aa993a92e8efe01642916d0877beb9439e9f # v1.9.0
        with:
          github-token: "${{ secrets.CODEOWNERS_GITHUB_PAT }}"
          pr: "${{ github.event.pull_request.number }}"
          verbose: true
          quiet: ${{ github.event.pull_request.draft }}