Prevent double counting, since the sum of all `input_token_details`
should never exceed `input_tokens`
---------
Co-authored-by: Chester Curme <chester.curme@gmail.com>
During an automated code review of .github/scripts/get_min_versions.py,
the following issue was identified. Set a timeout on get min versions
HTTP calls. Network calls without a timeout can hang a worker
indefinitely. I kept the patch small and re-ran syntax checks after
applying it.
When the `require_issue_link` workflow closes an external PR for failing
the issue-link/assignee check, other CI workflows (lint, tests,
integration tests) keep running uselessly. This cancels all of them
immediately after closing the PR.
## Changes
- After closing the PR in the `check-issue-link` job's final step,
enumerate all `in_progress` and `queued` workflow runs matching the PR's
`head_sha` via `actions.listWorkflowRunsForRepo` and cancel each one
(skipping self via `context.runId`)
- Add `actions: write` permission to the job to allow cancellation API
calls
Remove the redundant `lc_attributes` override from `ChatXAI`. The
`xai_api_base` field is a declared Pydantic `Field`, so
`Serializable.to_json()` already picks it up via its standard field
iteration loop (line 225-232 in `serializable.py`). The override was a
no-op — it re-inserted the same key with the same value that the base
serialization already included.
Add `base_url` alias and `XAI_API_BASE` env variable support to
`ChatXAI.xai_api_base`, aligning the xAI integration with the pattern
used across other partner packages (OpenAI, Groq, Fireworks, etc.).
Previously the base URL was a plain string field with no alias or
env-var lookup, making it inconsistent with the rest of the ecosystem
and harder to configure in deployment environments.
## Changes
- Add `alias="base_url"` and `default_factory=from_env("XAI_API_BASE",
default="https://api.x.ai/v1/")` to `ChatXAI.xai_api_base`, matching the
convention in `langchain_openai`, `langchain_groq`, and
`langchain_fireworks`
Extract additional fields from models.dev into `_model_data_to_profile`:
`name`, `status`, `release_date`, `last_updated`, `open_weights`,
`attachment`, `temperature`
Move the model profile refresh logic from an inline bash script in the
GitHub Actions workflow into a `make refresh-profiles` target in
`libs/model-profiles/Makefile`. This makes it runnable locally with a
single command and keeps the provider map in one place instead of
duplicated between CI and developer docs.
Bumps [tornado](https://github.com/tornadoweb/tornado) from 6.5.2 to
6.5.5.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/tornadoweb/tornado/blob/master/docs/releases.rst">tornado's
changelog</a>.</em></p>
<blockquote>
<h1>Release notes</h1>
<p>.. toctree::
:maxdepth: 2</p>
<p>releases/v6.5.5
releases/v6.5.4
releases/v6.5.3
releases/v6.5.2
releases/v6.5.1
releases/v6.5.0
releases/v6.4.2
releases/v6.4.1
releases/v6.4.0
releases/v6.3.3
releases/v6.3.2
releases/v6.3.1
releases/v6.3.0
releases/v6.2.0
releases/v6.1.0
releases/v6.0.4
releases/v6.0.3
releases/v6.0.2
releases/v6.0.1
releases/v6.0.0
releases/v5.1.1
releases/v5.1.0
releases/v5.0.2
releases/v5.0.1
releases/v5.0.0
releases/v4.5.3
releases/v4.5.2
releases/v4.5.1
releases/v4.5.0
releases/v4.4.3
releases/v4.4.2
releases/v4.4.1
releases/v4.4.0
releases/v4.3.0
releases/v4.2.1
releases/v4.2.0
releases/v4.1.0
releases/v4.0.2
releases/v4.0.1
releases/v4.0.0
releases/v3.2.2
releases/v3.2.1
releases/v3.2.0
releases/v3.1.1</p>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="7d6465056c"><code>7d64650</code></a>
Merge pull request <a
href="https://redirect.github.com/tornadoweb/tornado/issues/3586">#3586</a>
from bdarnell/update-cibw</li>
<li><a
href="d05d59b808"><code>d05d59b</code></a>
build: Bump cibuildwheel to 3.4.0</li>
<li><a
href="c2f46732b0"><code>c2f4673</code></a>
Merge pull request <a
href="https://redirect.github.com/tornadoweb/tornado/issues/3585">#3585</a>
from bdarnell/release-655</li>
<li><a
href="e5f1aa4b6f"><code>e5f1aa4</code></a>
Release notes and version bump for v6.5.5</li>
<li><a
href="78a046f99f"><code>78a046f</code></a>
httputil: Add CRLF to _FORBIDDEN_HEADER_CHARS_RE</li>
<li><a
href="24a2d96ea1"><code>24a2d96</code></a>
web: Validate characters in all cookie attributes.</li>
<li><a
href="119a195e29"><code>119a195</code></a>
httputil: Add limits on multipart form data parsing</li>
<li><a
href="63d4df4eef"><code>63d4df4</code></a>
Merge pull request <a
href="https://redirect.github.com/tornadoweb/tornado/issues/3564">#3564</a>
from bdarnell/release-654</li>
<li><a
href="eadbf9adbe"><code>eadbf9a</code></a>
Release notes and version bump for 6.5.4</li>
<li><a
href="bbc2b1429c"><code>bbc2b14</code></a>
Make sure that the in-operator on HTTPHeaders is case insensitive</li>
<li>Additional commits viewable in <a
href="https://github.com/tornadoweb/tornado/compare/v6.5.2...v6.5.5">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/langchain-ai/langchain/network/alerts).
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [tornado](https://github.com/tornadoweb/tornado) from 6.5.2 to
6.5.5.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/tornadoweb/tornado/blob/master/docs/releases.rst">tornado's
changelog</a>.</em></p>
<blockquote>
<h1>Release notes</h1>
<p>.. toctree::
:maxdepth: 2</p>
<p>releases/v6.5.5
releases/v6.5.4
releases/v6.5.3
releases/v6.5.2
releases/v6.5.1
releases/v6.5.0
releases/v6.4.2
releases/v6.4.1
releases/v6.4.0
releases/v6.3.3
releases/v6.3.2
releases/v6.3.1
releases/v6.3.0
releases/v6.2.0
releases/v6.1.0
releases/v6.0.4
releases/v6.0.3
releases/v6.0.2
releases/v6.0.1
releases/v6.0.0
releases/v5.1.1
releases/v5.1.0
releases/v5.0.2
releases/v5.0.1
releases/v5.0.0
releases/v4.5.3
releases/v4.5.2
releases/v4.5.1
releases/v4.5.0
releases/v4.4.3
releases/v4.4.2
releases/v4.4.1
releases/v4.4.0
releases/v4.3.0
releases/v4.2.1
releases/v4.2.0
releases/v4.1.0
releases/v4.0.2
releases/v4.0.1
releases/v4.0.0
releases/v3.2.2
releases/v3.2.1
releases/v3.2.0
releases/v3.1.1</p>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="7d6465056c"><code>7d64650</code></a>
Merge pull request <a
href="https://redirect.github.com/tornadoweb/tornado/issues/3586">#3586</a>
from bdarnell/update-cibw</li>
<li><a
href="d05d59b808"><code>d05d59b</code></a>
build: Bump cibuildwheel to 3.4.0</li>
<li><a
href="c2f46732b0"><code>c2f4673</code></a>
Merge pull request <a
href="https://redirect.github.com/tornadoweb/tornado/issues/3585">#3585</a>
from bdarnell/release-655</li>
<li><a
href="e5f1aa4b6f"><code>e5f1aa4</code></a>
Release notes and version bump for v6.5.5</li>
<li><a
href="78a046f99f"><code>78a046f</code></a>
httputil: Add CRLF to _FORBIDDEN_HEADER_CHARS_RE</li>
<li><a
href="24a2d96ea1"><code>24a2d96</code></a>
web: Validate characters in all cookie attributes.</li>
<li><a
href="119a195e29"><code>119a195</code></a>
httputil: Add limits on multipart form data parsing</li>
<li><a
href="63d4df4eef"><code>63d4df4</code></a>
Merge pull request <a
href="https://redirect.github.com/tornadoweb/tornado/issues/3564">#3564</a>
from bdarnell/release-654</li>
<li><a
href="eadbf9adbe"><code>eadbf9a</code></a>
Release notes and version bump for 6.5.4</li>
<li><a
href="bbc2b1429c"><code>bbc2b14</code></a>
Make sure that the in-operator on HTTPHeaders is case insensitive</li>
<li>Additional commits viewable in <a
href="https://github.com/tornadoweb/tornado/compare/v6.5.2...v6.5.5">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/langchain-ai/langchain/network/alerts).
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [tornado](https://github.com/tornadoweb/tornado) from 6.5.2 to
6.5.5.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/tornadoweb/tornado/blob/master/docs/releases.rst">tornado's
changelog</a>.</em></p>
<blockquote>
<h1>Release notes</h1>
<p>.. toctree::
:maxdepth: 2</p>
<p>releases/v6.5.5
releases/v6.5.4
releases/v6.5.3
releases/v6.5.2
releases/v6.5.1
releases/v6.5.0
releases/v6.4.2
releases/v6.4.1
releases/v6.4.0
releases/v6.3.3
releases/v6.3.2
releases/v6.3.1
releases/v6.3.0
releases/v6.2.0
releases/v6.1.0
releases/v6.0.4
releases/v6.0.3
releases/v6.0.2
releases/v6.0.1
releases/v6.0.0
releases/v5.1.1
releases/v5.1.0
releases/v5.0.2
releases/v5.0.1
releases/v5.0.0
releases/v4.5.3
releases/v4.5.2
releases/v4.5.1
releases/v4.5.0
releases/v4.4.3
releases/v4.4.2
releases/v4.4.1
releases/v4.4.0
releases/v4.3.0
releases/v4.2.1
releases/v4.2.0
releases/v4.1.0
releases/v4.0.2
releases/v4.0.1
releases/v4.0.0
releases/v3.2.2
releases/v3.2.1
releases/v3.2.0
releases/v3.1.1</p>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="7d6465056c"><code>7d64650</code></a>
Merge pull request <a
href="https://redirect.github.com/tornadoweb/tornado/issues/3586">#3586</a>
from bdarnell/update-cibw</li>
<li><a
href="d05d59b808"><code>d05d59b</code></a>
build: Bump cibuildwheel to 3.4.0</li>
<li><a
href="c2f46732b0"><code>c2f4673</code></a>
Merge pull request <a
href="https://redirect.github.com/tornadoweb/tornado/issues/3585">#3585</a>
from bdarnell/release-655</li>
<li><a
href="e5f1aa4b6f"><code>e5f1aa4</code></a>
Release notes and version bump for v6.5.5</li>
<li><a
href="78a046f99f"><code>78a046f</code></a>
httputil: Add CRLF to _FORBIDDEN_HEADER_CHARS_RE</li>
<li><a
href="24a2d96ea1"><code>24a2d96</code></a>
web: Validate characters in all cookie attributes.</li>
<li><a
href="119a195e29"><code>119a195</code></a>
httputil: Add limits on multipart form data parsing</li>
<li><a
href="63d4df4eef"><code>63d4df4</code></a>
Merge pull request <a
href="https://redirect.github.com/tornadoweb/tornado/issues/3564">#3564</a>
from bdarnell/release-654</li>
<li><a
href="eadbf9adbe"><code>eadbf9a</code></a>
Release notes and version bump for 6.5.4</li>
<li><a
href="bbc2b1429c"><code>bbc2b14</code></a>
Make sure that the in-operator on HTTPHeaders is case insensitive</li>
<li>Additional commits viewable in <a
href="https://github.com/tornadoweb/tornado/compare/v6.5.2...v6.5.5">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/langchain-ai/langchain/network/alerts).
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [tornado](https://github.com/tornadoweb/tornado) from 6.5.2 to
6.5.5.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/tornadoweb/tornado/blob/master/docs/releases.rst">tornado's
changelog</a>.</em></p>
<blockquote>
<h1>Release notes</h1>
<p>.. toctree::
:maxdepth: 2</p>
<p>releases/v6.5.5
releases/v6.5.4
releases/v6.5.3
releases/v6.5.2
releases/v6.5.1
releases/v6.5.0
releases/v6.4.2
releases/v6.4.1
releases/v6.4.0
releases/v6.3.3
releases/v6.3.2
releases/v6.3.1
releases/v6.3.0
releases/v6.2.0
releases/v6.1.0
releases/v6.0.4
releases/v6.0.3
releases/v6.0.2
releases/v6.0.1
releases/v6.0.0
releases/v5.1.1
releases/v5.1.0
releases/v5.0.2
releases/v5.0.1
releases/v5.0.0
releases/v4.5.3
releases/v4.5.2
releases/v4.5.1
releases/v4.5.0
releases/v4.4.3
releases/v4.4.2
releases/v4.4.1
releases/v4.4.0
releases/v4.3.0
releases/v4.2.1
releases/v4.2.0
releases/v4.1.0
releases/v4.0.2
releases/v4.0.1
releases/v4.0.0
releases/v3.2.2
releases/v3.2.1
releases/v3.2.0
releases/v3.1.1</p>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="7d6465056c"><code>7d64650</code></a>
Merge pull request <a
href="https://redirect.github.com/tornadoweb/tornado/issues/3586">#3586</a>
from bdarnell/update-cibw</li>
<li><a
href="d05d59b808"><code>d05d59b</code></a>
build: Bump cibuildwheel to 3.4.0</li>
<li><a
href="c2f46732b0"><code>c2f4673</code></a>
Merge pull request <a
href="https://redirect.github.com/tornadoweb/tornado/issues/3585">#3585</a>
from bdarnell/release-655</li>
<li><a
href="e5f1aa4b6f"><code>e5f1aa4</code></a>
Release notes and version bump for v6.5.5</li>
<li><a
href="78a046f99f"><code>78a046f</code></a>
httputil: Add CRLF to _FORBIDDEN_HEADER_CHARS_RE</li>
<li><a
href="24a2d96ea1"><code>24a2d96</code></a>
web: Validate characters in all cookie attributes.</li>
<li><a
href="119a195e29"><code>119a195</code></a>
httputil: Add limits on multipart form data parsing</li>
<li><a
href="63d4df4eef"><code>63d4df4</code></a>
Merge pull request <a
href="https://redirect.github.com/tornadoweb/tornado/issues/3564">#3564</a>
from bdarnell/release-654</li>
<li><a
href="eadbf9adbe"><code>eadbf9a</code></a>
Release notes and version bump for 6.5.4</li>
<li><a
href="bbc2b1429c"><code>bbc2b14</code></a>
Make sure that the in-operator on HTTPHeaders is case insensitive</li>
<li>Additional commits viewable in <a
href="https://github.com/tornadoweb/tornado/compare/v6.5.2...v6.5.5">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/langchain-ai/langchain/network/alerts).
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Fixed typo in comment: "equivelent" -> "equivalent" in
libs/partners/openai/langchain_openai/chat_models/base.py
Co-authored-by: AI Assistant <assistant@example.com>
Automated refresh of model profile data for all in-monorepo partner
integrations via `langchain-profiles refresh`.
🤖 Generated by the `refresh_model_profiles` workflow.
Co-authored-by: mdrxy <61371264+mdrxy@users.noreply.github.com>
Bypass the issue-link requirement for external contributors who have
earned the `trusted-contributor` tier label (>=5 merged PRs). Previously
only PRs with the `internal` label skipped the gate, meaning repeat
contributors still had to link an approved issue on every PR. Also
includes minor template and linting tweaks for contributor experience.
## Changes
- Add `trusted-contributor` bypass to the `check-issue-link` job
condition in `require_issue_link.yml`, with a secondary live-label API
fetch inside the script to cover the race where the `external` labeled
event payload doesn't yet include the tier label
- Add a `bypass-trusted-contributor` job in `require_issue_link.yml`
that removes `missing-issue-link` and reopens the PR when the
`trusted-contributor` label arrives after enforcement has already closed
it
- Reorder steps in `tag-external-contributions.yml` so the tier label is
applied *before* the `external` label — eliminates the race window
entirely since `trusted-contributor` is already on the PR when the
downstream `labeled` event fires
- Switch the tier-label step from `GITHUB_TOKEN` to the app token so the
`trusted-contributor` labeled event propagates to downstream workflows
- Add `hotfix` to allowed PR title types in `pr_lint.yml`
- Promote the English language policy to a blockquote callout in issue
and PR templates; add a "do not begin work without assignment" note to
the feature request template
The `tag-external-contributions.yml` workflow was using `GITHUB_TOKEN`
to add the `external` label to PRs, which silently prevented the
`labeled` event from propagating to `require_issue_link.yml`. GitHub
Actions suppresses events created by `GITHUB_TOKEN` to avoid infinite
loops — but in this case, the downstream workflow depends on that event
to enforce the issue-link requirement on external PRs.
## Changes
- Switch `github-token` from `secrets.GITHUB_TOKEN` to the existing App
token (`steps.app-token.outputs.token`) in the "Add external label to
pull request" step of `tag-external-contributions.yml`, so the `labeled`
event fires and triggers `require_issue_link.yml`
Auto-reopen external PRs that were closed by the `require_issue_link`
workflow once the author fixes their PR description. Previously, the
workflow closed non-compliant PRs but required a maintainer to manually
reopen them — creating unnecessary back-and-forth when the contributor
just needed to add an issue link or get assigned.
## Changes
- Add reopen logic to the success path in `require_issue_link.yml`:
after removing the `missing-issue-link` label, call `pulls.update({
state: 'open' })` if the PR is closed *and* still carries the
`missing-issue-link` label — gating on the label ensures only
workflow-closed PRs are reopened, not PRs closed manually by maintainers
- Update the bot's auto-close comments to tell contributors the PR will
reopen automatically once they fix the issue, instead of directing them
to ask a maintainer
Auto-close external PRs that fail the issue-link or assignee check
instead of just failing the CI status. The bot comment now explains the
PR was closed and gives numbered steps to resolve — including asking a
maintainer to reopen, since external contributors can't reopen PRs
themselves.
## Changes
- Close the PR via `pulls.update` after posting the bot comment in the
`check-issue-link` job, gated on `state === 'open'` to avoid redundant
API calls on re-runs
- Rewrite bot comment copy for both failure modes (missing link, not
assigned) to lead with "This PR has been automatically closed" and end
with "ask a maintainer to reopen this PR"
Extend the external PR gate to verify that the PR author is actually
assigned to the issue they reference. Previously, anyone could link to
any open issue with `Fixes #NNN` to pass the check — this closes the
loophole by fetching each linked issue via the GitHub API and comparing
assignees against the PR author (case-insensitive). The bot comment now
adapts its message based on which check failed, and updates in place if
the failure reason changes on a re-check.
## Changes
- Add assignee validation in the `check-link` step: after parsing issue
numbers from the PR body, fetch each via `github.rest.issues.get` and
check if the PR author appears in `assignees` — short-circuits on first
match
- Gate all downstream steps (`missing-issue-link` label add/remove,
comment, `setFailed`) on both `has-link` and `is-assigned` outputs
- Serve a distinct bot comment when the issue link exists but the author
isn't assigned, directing them to request assignment from a maintainer
- Update the existing marker comment in place (via `updateComment`) when
the failure reason changes between re-runs, instead of leaving a stale
message
