Add a durable maintainer override to the "Require Issue Link" workflow.
The existing maintainer-reopen path skipped enforcement once but didn't
persist that decision — a subsequent PR edit could re-trigger closure.
Maintainers now have two override paths (reopen the PR or remove
`missing-issue-link`), both converging on `applyMaintainerBypass()`
which reopens the PR, cleans up `missing-issue-link`, and applies a
durable `bypass-issue-check` label so future triggers skip enforcement.
## Changes
- Add `unlabeled` to `pull_request_target` trigger types and gate it on
`missing-issue-link` removal + `external` label presence in the
job-level `if`
- Introduce `bypass-issue-check` as a new skip label alongside
`trusted-contributor` — scoped per-PR (not per-author) so maintainers
can override individual PRs without blanket trust
- Extract three helpers in the check-link script: `ensureAndAddLabel`
(idempotent label creation), `senderIsOrgMember` (org membership check),
and `applyMaintainerBypass` (remove label → reopen → add bypass)
- `applyMaintainerBypass` reopens the PR *before* adding the bypass
label so a failed reopen (deleted branch, permissions) leaves a more
actionable state; reopen failure is caught and surfaced via
`core.warning` instead of crashing the step
- Non-member label removal defensively re-adds `missing-issue-link` and
early-returns with failure outputs (re-add failure is non-fatal so the
downstream "Add label" step can retry)
- Replace hardcoded `'langchain-ai'` org in `senderIsOrgMember` with
`context.repo.owner` for portability
- Auto-close comments now include a maintainer override hint: *"reopen
this PR or remove the `missing-issue-link` label to bypass this check"*
- Live-label race guard also checks for `bypass-issue-check`
When a maintainer manually reopens a PR that was auto-closed by the
`require-issue-link` workflow, skip enforcement so it stays open. Scoped
to PRs carrying the `missing-issue-link` label (i.e. only those closed
by this workflow). Non-org-members reopening their own PRs still go
through normal enforcement.
Remove `opened` from the `require_issue_link.yml` trigger list. New PRs
never have labels at creation time, so the job-level `if` (which
requires the `external` label) always evaluated to skip — producing a
noisy "Skipped" check on every internal PR. Enforcement chains through
`pr_labeler.yml` → `labeled` event, making `opened` a no-op.
## Changes
- Drop `opened` from `pull_request_target.types` in
`require_issue_link.yml` — only `edited`, `reopened`, and `labeled`
remain
- Update header comment to document why `opened` is intentionally
excluded
Consolidate four separate PR labeling workflows (`pr_labeler_file.yml`,
`pr_labeler_title.yml`, `pr_size_labeler.yml`, and the PR-handling half
of `tag-external-contributions.yml`) into a single `pr_labeler.yml`
workflow. The old workflows raced against each other — concurrent label
mutations could drop or duplicate labels depending on execution order. A
unified workflow with concurrency grouping eliminates that class of bug.
When the `require_issue_link` workflow closes an external PR for failing
the issue-link/assignee check, other CI workflows (lint, tests,
integration tests) keep running uselessly. This cancels all of them
immediately after closing the PR.
## Changes
- After closing the PR in the `check-issue-link` job's final step,
enumerate all `in_progress` and `queued` workflow runs matching the PR's
`head_sha` via `actions.listWorkflowRunsForRepo` and cancel each one
(skipping self via `context.runId`)
- Add `actions: write` permission to the job to allow cancellation API
calls
Bypass the issue-link requirement for external contributors who have
earned the `trusted-contributor` tier label (>=5 merged PRs). Previously
only PRs with the `internal` label skipped the gate, meaning repeat
contributors still had to link an approved issue on every PR. Also
includes minor template and linting tweaks for contributor experience.
## Changes
- Add `trusted-contributor` bypass to the `check-issue-link` job
condition in `require_issue_link.yml`, with a secondary live-label API
fetch inside the script to cover the race where the `external` labeled
event payload doesn't yet include the tier label
- Add a `bypass-trusted-contributor` job in `require_issue_link.yml`
that removes `missing-issue-link` and reopens the PR when the
`trusted-contributor` label arrives after enforcement has already closed
it
- Reorder steps in `tag-external-contributions.yml` so the tier label is
applied *before* the `external` label — eliminates the race window
entirely since `trusted-contributor` is already on the PR when the
downstream `labeled` event fires
- Switch the tier-label step from `GITHUB_TOKEN` to the app token so the
`trusted-contributor` labeled event propagates to downstream workflows
- Add `hotfix` to allowed PR title types in `pr_lint.yml`
- Promote the English language policy to a blockquote callout in issue
and PR templates; add a "do not begin work without assignment" note to
the feature request template
Auto-reopen external PRs that were closed by the `require_issue_link`
workflow once the author fixes their PR description. Previously, the
workflow closed non-compliant PRs but required a maintainer to manually
reopen them — creating unnecessary back-and-forth when the contributor
just needed to add an issue link or get assigned.
## Changes
- Add reopen logic to the success path in `require_issue_link.yml`:
after removing the `missing-issue-link` label, call `pulls.update({
state: 'open' })` if the PR is closed *and* still carries the
`missing-issue-link` label — gating on the label ensures only
workflow-closed PRs are reopened, not PRs closed manually by maintainers
- Update the bot's auto-close comments to tell contributors the PR will
reopen automatically once they fix the issue, instead of directing them
to ask a maintainer
Auto-close external PRs that fail the issue-link or assignee check
instead of just failing the CI status. The bot comment now explains the
PR was closed and gives numbered steps to resolve — including asking a
maintainer to reopen, since external contributors can't reopen PRs
themselves.
## Changes
- Close the PR via `pulls.update` after posting the bot comment in the
`check-issue-link` job, gated on `state === 'open'` to avoid redundant
API calls on re-runs
- Rewrite bot comment copy for both failure modes (missing link, not
assigned) to lead with "This PR has been automatically closed" and end
with "ask a maintainer to reopen this PR"
Extend the external PR gate to verify that the PR author is actually
assigned to the issue they reference. Previously, anyone could link to
any open issue with `Fixes #NNN` to pass the check — this closes the
loophole by fetching each linked issue via the GitHub API and comparing
assignees against the PR author (case-insensitive). The bot comment now
adapts its message based on which check failed, and updates in place if
the failure reason changes on a re-check.
## Changes
- Add assignee validation in the `check-link` step: after parsing issue
numbers from the PR body, fetch each via `github.rest.issues.get` and
check if the PR author appears in `assignees` — short-circuits on first
match
- Gate all downstream steps (`missing-issue-link` label add/remove,
comment, `setFailed`) on both `has-link` and `is-assigned` outputs
- Serve a distinct bot comment when the issue link exists but the author
isn't assigned, directing them to request assignment from a maintainer
- Update the existing marker comment in place (via `updateComment`) when
the failure reason changes between re-runs, instead of leaving a stale
message
Enforce that all external PRs reference an approved issue via GitHub
auto-close keywords (`Fixes #NNN`, `Closes #NNN`, `Resolves #NNN`). This
replaces the previous AI-disclaimer policy in the PR template with a
stricter requirement: external contributors must link to a
maintainer-approved issue before their PR can merge.
## Changes
- Add `require_issue_link.yml` workflow that chains off the `external`
label applied by `tag-external-contributions.yml` — listens for
`labeled`, `edited`, and `reopened` events to avoid duplicating the org
membership API call
- Scan PR body with a case-insensitive regex matching all conjugations
of `close/fix/resolve` + `#NNN`; fail the check and post a deduplicated
comment (via `<!-- require-issue-link -->` HTML marker) when no link is
found
- Apply a `missing-issue-link` label on failure, remove it on pass —
enables bulk cleanup via label filter
- Add `workflow_dispatch` backfill job to `pr_size_labeler.yml` for
retroactively applying size labels to open PRs
- Quote `author` in GitHub search queries in
`tag-external-contributions.yml` to prevent mismatches on usernames with
special characters
- Update `PULL_REQUEST_TEMPLATE.md` to replace the AI-disclaimer
guideline with the new issue-link requirement
> [!NOTE]
> `require_issue_link.yml` depends on `tag-external-contributions.yml`
running first to apply the `external` label. Deploy as a non-required
check initially, then promote to required after validation.
