When the `require_issue_link` workflow closes an external PR for failing
the issue-link/assignee check, other CI workflows (lint, tests,
integration tests) keep running uselessly. This cancels all of them
immediately after closing the PR.
## Changes
- After closing the PR in the `check-issue-link` job's final step,
enumerate all `in_progress` and `queued` workflow runs matching the PR's
`head_sha` via `actions.listWorkflowRunsForRepo` and cancel each one
(skipping self via `context.runId`)
- Add `actions: write` permission to the job to allow cancellation API
calls
Bypass the issue-link requirement for external contributors who have
earned the `trusted-contributor` tier label (>=5 merged PRs). Previously
only PRs with the `internal` label skipped the gate, meaning repeat
contributors still had to link an approved issue on every PR. Also
includes minor template and linting tweaks for contributor experience.
## Changes
- Add `trusted-contributor` bypass to the `check-issue-link` job
condition in `require_issue_link.yml`, with a secondary live-label API
fetch inside the script to cover the race where the `external` labeled
event payload doesn't yet include the tier label
- Add a `bypass-trusted-contributor` job in `require_issue_link.yml`
that removes `missing-issue-link` and reopens the PR when the
`trusted-contributor` label arrives after enforcement has already closed
it
- Reorder steps in `tag-external-contributions.yml` so the tier label is
applied *before* the `external` label — eliminates the race window
entirely since `trusted-contributor` is already on the PR when the
downstream `labeled` event fires
- Switch the tier-label step from `GITHUB_TOKEN` to the app token so the
`trusted-contributor` labeled event propagates to downstream workflows
- Add `hotfix` to allowed PR title types in `pr_lint.yml`
- Promote the English language policy to a blockquote callout in issue
and PR templates; add a "do not begin work without assignment" note to
the feature request template
Auto-reopen external PRs that were closed by the `require_issue_link`
workflow once the author fixes their PR description. Previously, the
workflow closed non-compliant PRs but required a maintainer to manually
reopen them — creating unnecessary back-and-forth when the contributor
just needed to add an issue link or get assigned.
## Changes
- Add reopen logic to the success path in `require_issue_link.yml`:
after removing the `missing-issue-link` label, call `pulls.update({
state: 'open' })` if the PR is closed *and* still carries the
`missing-issue-link` label — gating on the label ensures only
workflow-closed PRs are reopened, not PRs closed manually by maintainers
- Update the bot's auto-close comments to tell contributors the PR will
reopen automatically once they fix the issue, instead of directing them
to ask a maintainer
Auto-close external PRs that fail the issue-link or assignee check
instead of just failing the CI status. The bot comment now explains the
PR was closed and gives numbered steps to resolve — including asking a
maintainer to reopen, since external contributors can't reopen PRs
themselves.
## Changes
- Close the PR via `pulls.update` after posting the bot comment in the
`check-issue-link` job, gated on `state === 'open'` to avoid redundant
API calls on re-runs
- Rewrite bot comment copy for both failure modes (missing link, not
assigned) to lead with "This PR has been automatically closed" and end
with "ask a maintainer to reopen this PR"
Extend the external PR gate to verify that the PR author is actually
assigned to the issue they reference. Previously, anyone could link to
any open issue with `Fixes #NNN` to pass the check — this closes the
loophole by fetching each linked issue via the GitHub API and comparing
assignees against the PR author (case-insensitive). The bot comment now
adapts its message based on which check failed, and updates in place if
the failure reason changes on a re-check.
## Changes
- Add assignee validation in the `check-link` step: after parsing issue
numbers from the PR body, fetch each via `github.rest.issues.get` and
check if the PR author appears in `assignees` — short-circuits on first
match
- Gate all downstream steps (`missing-issue-link` label add/remove,
comment, `setFailed`) on both `has-link` and `is-assigned` outputs
- Serve a distinct bot comment when the issue link exists but the author
isn't assigned, directing them to request assignment from a maintainer
- Update the existing marker comment in place (via `updateComment`) when
the failure reason changes between re-runs, instead of leaving a stale
message
Enforce that all external PRs reference an approved issue via GitHub
auto-close keywords (`Fixes #NNN`, `Closes #NNN`, `Resolves #NNN`). This
replaces the previous AI-disclaimer policy in the PR template with a
stricter requirement: external contributors must link to a
maintainer-approved issue before their PR can merge.
## Changes
- Add `require_issue_link.yml` workflow that chains off the `external`
label applied by `tag-external-contributions.yml` — listens for
`labeled`, `edited`, and `reopened` events to avoid duplicating the org
membership API call
- Scan PR body with a case-insensitive regex matching all conjugations
of `close/fix/resolve` + `#NNN`; fail the check and post a deduplicated
comment (via `<!-- require-issue-link -->` HTML marker) when no link is
found
- Apply a `missing-issue-link` label on failure, remove it on pass —
enables bulk cleanup via label filter
- Add `workflow_dispatch` backfill job to `pr_size_labeler.yml` for
retroactively applying size labels to open PRs
- Quote `author` in GitHub search queries in
`tag-external-contributions.yml` to prevent mismatches on usernames with
special characters
- Update `PULL_REQUEST_TEMPLATE.md` to replace the AI-disclaimer
guideline with the new issue-link requirement
> [!NOTE]
> `require_issue_link.yml` depends on `tag-external-contributions.yml`
running first to apply the `external` label. Deploy as a non-required
check initially, then promote to required after validation.
