vrr/zed
2
0
Fork 0
mirror of https://github.com/zed-industries/zed.git synced 2026-05-24 21:59:04 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 8
zed/.github/workflows/stale-pr-reminder.yml
John D. Swanson 10ddd9085d
Update assign-reviewers workflow for fork PR support (#51876) 
## Summary

Deploy updated `assign-reviewers.yml` from
[codeowner-coordinator#83](https://github.com/zed-industries/codeowner-coordinator/pull/83):

- Switch trigger from `pull_request` to `pull_request_target` to support
fork PRs and fix `author_association` misclassification bug (org members
reported as `COLLABORATOR`)
- Remove `author_association` filter and fork gate — reviewer
assignments are inherently scoped to org team members by the GitHub
Teams API
- Remove `--min-association member` from script invocation
- Add `SECURITY INVARIANTS` comment block documenting
`pull_request_target` safety requirements
- Add concurrency guard to prevent duplicate runs per PR
- Add `--require-hashes` + SHA256 pin for pyyaml install

## Test plan

- [ ] Verify a fork PR triggers the workflow and receives team
assignment
- [ ] Verify a draft→ready PR triggers correctly
- [ ] Verify org member PRs continue to work

Release Notes:

- N/A
2026-03-18 19:09:44 -04:00

115 lines
4.4 KiB
YAML
Raw Permalink Blame History

# Stale PR Review Reminder
#
# Runs daily on weekdays (second run at 8 PM UTC disabled during rollout) and posts a Slack summary of open PRs that
# have been awaiting review for more than 72 hours. Team-level signal only —
# no individual shaming.
#
# Security note: No untrusted input is interpolated into shell commands.
# All PR metadata is read via gh API + jq.
#
# Required secrets:
# SLACK_WEBHOOK_PR_REVIEW_BOT - Incoming webhook URL for the #pr-review-ops channel
name: Stale PR Review Reminder
on:
schedule:
- cron: "0 14 * * 1-5" # 2 PM UTC weekdays
# - cron: "0 20 * * 1-5" # 8 PM UTC weekdays — enable after initial rollout
workflow_dispatch: {}
permissions:
contents: read
pull-requests: read
jobs:
check-stale-prs:
if: github.repository_owner == 'zed-industries'
runs-on: ubuntu-latest
timeout-minutes: 5
env:
REPO: ${{ github.repository }}
# Only surface PRs created on or after this date. Update this if the
# review process enforcement date changes.
PROCESS_START_DATE: "2026-03-19T00:00:00Z"
steps:
- name: Find PRs awaiting review longer than 72h
id: stale
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
CUTOFF=$(date -u -v-72H +%Y-%m-%dT%H:%M:%SZ 2>/dev/null \
|| date -u -d '72 hours ago' +%Y-%m-%dT%H:%M:%SZ)
# Get open, non-draft PRs with pending review requests, created before cutoff
# but after the review process start date (to exclude pre-existing backlog)
gh api --paginate \
"repos/${REPO}/pulls?state=open&sort=updated&direction=asc&per_page=100" \
--jq "[
.[] |
select(.draft == false) |
select(.created_at > \"$PROCESS_START_DATE\") |
select(.created_at < \"$CUTOFF\") |
select((.requested_reviewers | length > 0) or (.requested_teams | length > 0))
]" > /tmp/candidates.json
# Filter to PRs with zero approving reviews
jq -r '.[].number' /tmp/candidates.json | while read -r PR_NUMBER; do
APPROVALS=$(gh api \
"repos/${REPO}/pulls/${PR_NUMBER}/reviews" \
--jq "[.[] | select(.state == \"APPROVED\")] | length" 2>/dev/null || echo "0")
if [ "$APPROVALS" -eq 0 ]; then
jq ".[] | select(.number == ${PR_NUMBER}) | {number, title, author: .user.login, created_at}" \
/tmp/candidates.json
fi
done | jq -s '.' > /tmp/awaiting.json
COUNT=$(jq 'length' /tmp/awaiting.json)
echo "count=$COUNT" >> "$GITHUB_OUTPUT"
- name: Notify Slack
if: steps.stale.outputs.count != '0'
env:
SLACK_WEBHOOK_PR_REVIEW_BOT: ${{ secrets.SLACK_WEBHOOK_PR_REVIEW_BOT }}
COUNT: ${{ steps.stale.outputs.count }}
run: |
# Build Block Kit payload from JSON — no shell interpolation of PR titles.
# Why jq? PR titles are attacker-controllable input. By reading them
# through jq -r from the JSON file and passing the result to jq --arg,
# the content stays safely JSON-encoded in the final payload.
PRS=$(jq -r '.[] | "• <https://github.com/'"${REPO}"'/pull/\(.number)|#\(.number)> — \(.title) (by \(.author), opened \(.created_at | split("T")[0]))"' /tmp/awaiting.json)
jq -n \
--arg count "$COUNT" \
--arg prs "$PRS" \
'{
text: ($count + " PR(s) awaiting review for >72 hours"),
blocks: [
{
type: "section",
text: {
type: "mrkdwn",
text: (":hourglass_flowing_sand: *" + $count + " PR(s) Awaiting Review >72 Hours*")
}
},
{
type: "section",
text: { type: "mrkdwn", text: $prs }
},
{ type: "divider" },
{
type: "context",
elements: [{
type: "mrkdwn",
text: "PRs awaiting review are surfaced daily. Reviewers: pick one up or reassign."
}]
}
]
}' | \
curl -s -X POST "$SLACK_WEBHOOK_PR_REVIEW_BOT" \
-H 'Content-Type: application/json' \
-d @-
defaults:
run:
shell: bash -euxo pipefail {0}
Reference in a new issue View git blame Copy permalink