From 3e459beac1e9d5eb7f53bc9ad88e1ac6d216a65b Mon Sep 17 00:00:00 2001 From: Mason Daugherty Date: Mon, 9 Mar 2026 21:47:17 -0400 Subject: [PATCH] ci: use app token for external PR label to trigger downstream workflows (#35710) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The `tag-external-contributions.yml` workflow was using `GITHUB_TOKEN` to add the `external` label to PRs, which silently prevented the `labeled` event from propagating to `require_issue_link.yml`. GitHub Actions suppresses events created by `GITHUB_TOKEN` to avoid infinite loops — but in this case, the downstream workflow depends on that event to enforce the issue-link requirement on external PRs. ## Changes - Switch `github-token` from `secrets.GITHUB_TOKEN` to the existing App token (`steps.app-token.outputs.token`) in the "Add external label to pull request" step of `tag-external-contributions.yml`, so the `labeled` event fires and triggers `require_issue_link.yml` --- .github/workflows/tag-external-contributions.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/tag-external-contributions.yml b/.github/workflows/tag-external-contributions.yml index 577ac67d6a4..5dfbcdb3fe1 100644 --- a/.github/workflows/tag-external-contributions.yml +++ b/.github/workflows/tag-external-contributions.yml @@ -119,7 +119,10 @@ jobs: if: steps.check-membership.outputs.is-external == 'true' && github.event_name == 'pull_request_target' uses: actions/github-script@v8 with: - github-token: ${{ secrets.GITHUB_TOKEN }} + # Use App token so the "labeled" event propagates to downstream + # workflows (e.g. require_issue_link.yml). Events created by the + # default GITHUB_TOKEN do not trigger additional workflow runs. + github-token: ${{ steps.app-token.outputs.token }} script: | const { owner, repo } = context.repo; const pull_number = context.payload.pull_request.number;