vrr/zed
2
0
Fork 0
mirror of https://github.com/zed-industries/zed.git synced 2026-05-25 23:04:27 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 16
zed/.github/workflows/assign-reviewers.yml
John D. Swanson 0969363698
Skip PR assignee selection for org-member PRs (#52593) 
Self-Review Checklist:

- [x] I've reviewed my own diff for quality, security, and reliability
- [ ] Unsafe blocks (if any) have justifying comments
- [ ] The content is consistent with the [UI/UX
checklist](https://github.com/zed-industries/zed/blob/main/CONTRIBUTING.md#uiux-checklist)
- [x] Tests cover the new/changed behavior
- [x] Performance impact has been considered and is acceptable

Closes N/A — deploying
[codeowner-coordinator#90](https://github.com/zed-industries/codeowner-coordinator/pull/90)
to zed repo.

## Summary

Pass `ASSIGN_INTERNAL` and `ASSIGN_EXTERNAL` repository variables to the
assign-reviewers workflow. The coordinator script now uses these to
control whether an individual PR assignee is set based on the author's
org membership.

**Defaults:** org members skip assignee (teams self-organize
accountability), external contributors get an assignee (identifies who
should shepherd the PR). Both are togglable from repo Settings →
Variables without code changes.

Side benefit: skips the 30-55 second `poll_for_reviewers` polling loop
for org-member PRs.

## Post-merge manual step

Set repository variables (Settings → Secrets and variables → Actions →
Variables):
- `ASSIGN_INTERNAL` = `false`
- `ASSIGN_EXTERNAL` = `true`

Release Notes:

- N/A
2026-03-27 14:09:39 -04:00

104 lines
4.4 KiB
YAML
Raw Permalink Blame History

# Assign Reviewers — Smart team assignment based on diff weight
#
# Triggers on PR open and ready_for_review events. Checks out the coordinator
# repo (zed-industries/codeowner-coordinator) to access the assignment script and rules,
# then assigns the 1-2 most relevant teams as reviewers.
#
# NOTE: This file is stored in the codeowner-coordinator repo but must be deployed to
# the zed repo at .github/workflows/assign-reviewers.yml. See INSTALL.md.
#
# AUTH NOTE: Uses a GitHub App (COORDINATOR_APP_ID + COORDINATOR_APP_PRIVATE_KEY)
# for all API operations: cloning the private coordinator repo, requesting team
# reviewers, and setting PR assignees. GITHUB_TOKEN is not used.
#
# SECURITY INVARIANTS (pull_request_target):
# This workflow runs with access to secrets for ALL PRs including forks.
# It is safe ONLY because:
# 1. The checkout is the coordinator repo at ref: main — NEVER the PR head/branch
# 2. No ${{ }} interpolation of event fields in run: blocks — all routed via env:
# 3. The script never executes, sources, or reads files from the PR branch
# Violating any of these enables remote code execution with secret access.
name: Assign Reviewers
on:
# zizmor: ignore[dangerous-triggers] reviewed — no PR code checkout, only coordinator repo at ref: main
pull_request_target:
types: [opened, ready_for_review]
# GITHUB_TOKEN is not used — all operations use the GitHub App token.
# Declare minimal permissions so the default token has no write access.
permissions: {}
# Prevent duplicate runs for the same PR (e.g., rapid push + ready_for_review).
concurrency:
group: assign-reviewers-${{ github.event.pull_request.number }}
cancel-in-progress: true
# NOTE: For ready_for_review events, the webhook payload may still carry
# draft: true due to a GitHub race condition (payload serialized before DB
# update). We trust the event type instead — the script rechecks draft status
# via a live API call as defense-in-depth.
#
# No author_association filter — external and fork PRs also get reviewer
# assignments. Assigned reviewers are inherently scoped to org team members
# by the GitHub Teams API.
jobs:
assign-reviewers:
if: >-
github.event.action == 'ready_for_review' || github.event.pull_request.draft == false
runs-on: ubuntu-latest
steps:
- name: Generate app token
id: app-token
uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3.0.0
with:
app-id: ${{ vars.COORDINATOR_APP_ID }}
private-key: ${{ secrets.COORDINATOR_APP_PRIVATE_KEY }}
repositories: codeowner-coordinator,zed
# SECURITY: checks out the coordinator repo at ref: main, NOT the PR branch.
# persist-credentials: false prevents the token from leaking into .git/config.
- name: Checkout coordinator repo
uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
with:
repository: zed-industries/codeowner-coordinator
ref: main
path: codeowner-coordinator
token: ${{ steps.app-token.outputs.token }}
persist-credentials: false
- name: Setup Python
uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
with:
python-version: "3.11"
- name: Install dependencies
run: |
pip install --no-deps -q --only-binary ':all:' \
-r /dev/stdin <<< "pyyaml==6.0.3 --hash=sha256:b8bb0864c5a28024fac8a632c443c87c5aa6f215c0b126c449ae1a150412f31d"
- name: Assign reviewers
env:
GH_TOKEN: ${{ steps.app-token.outputs.token }}
PR_URL: ${{ github.event.pull_request.html_url }}
TARGET_REPO: ${{ github.repository }}
ASSIGN_INTERNAL: ${{ vars.ASSIGN_INTERNAL || 'false' }}
ASSIGN_EXTERNAL: ${{ vars.ASSIGN_EXTERNAL || 'true' }}
run: |
cd codeowner-coordinator
python .github/scripts/assign-reviewers.py \
--pr "$PR_URL" \
--apply \
--rules-file team-membership-rules.yml \
--repo "$TARGET_REPO" \
--org zed-industries \
2>&1 | tee /tmp/assign-reviewers-output.txt
- name: Upload output
if: always()
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: assign-reviewers-output
path: /tmp/assign-reviewers-output.txt
retention-days: 30
Reference in a new issue View git blame Copy permalink