mirror of
https://github.com/hwchase17/langchain.git
synced 2026-07-12 11:21:37 +00:00
Adds `github.repository_owner == 'langchain-ai'` guards to 14 GitHub
Actions workflows that were missing them. Without these guards,
write-capable automation (issue/PR labeling, closing, commenting, PR
reopening, release publishing) and CI jobs fire on forks — causing
unwanted mutations, wasted runner minutes, and failed GitHub App token
generation on repos that don't have the required secrets.
Also removes `v03_api_doc_build.yml`, which pushed built docs to
`langchain-ai/langchain-api-docs-html` via `TOKEN_GITHUB_API_DOCS_HTML`
— a secret that isn't set on this repo. The workflow was dead code with
no consumers.
---
## What changed
**Write-capable workflows now guarded** (8 files):
- `auto-label-by-package` — was adding/removing issue labels on forks
- `close_unchecked_issues` — was closing issues and posting comments on
forks via GitHub App token
- `tag-external-issues` — both `tag-external` and `backfill` jobs were
generating App tokens and labeling issues on forks
- `reopen_on_assignment` — was reopening PRs and re-running workflows on
forks
- `require_issue_link` — was closing PRs, creating labels, posting
comments, and canceling workflow runs on forks
- `remove_waiting_on_author` — was removing labels on fork issues/PRs
- `pr_labeler` — was generating App tokens and adding/removing PR labels
on forks
- `pr_labeler_backfill` — same, on manual trigger from a fork
**Read-only CI workflows now guarded** (5 files):
- `check_diffs` — `build` and `check-release-options` jobs (downstream
jobs inherit the skip)
- `codspeed` — `build` job
- `check_agents_sync`, `check_versions`, `check_release_deps`
**Release workflow guarded** (1 file):
- `_release` — `build` job (all downstream jobs chain via `needs`, so
they inherit the skip). Previously relied only on `environment: Release`
approval and a `github.ref` check.
**Removed**:
- `v03_api_doc_build.yml` — dead workflow depending on unset
`TOKEN_GITHUB_API_DOCS_HTML` secret
## What was already guarded
`block_fork_main_prs`, `bump_uv_pin`, `check_extras_sync`,
`integration_tests`, `pr_lint_trailer`, `refresh_model_profiles` already
had the guard. `pr_lint` (read-only, `pull-requests: read`) and the
`_*.yml` reusable workflows (only run when called by a guarded parent)
were intentionally left unguarded.
## Release note
- GitHub Actions workflows now skip execution on forks via
`repository_owner == 'langchain-ai'` guards, preventing unwanted
issue/PR automation and CI runs outside the canonical repo.
- Removed the dead `v03_api_doc_build` workflow that depended on an
unset secret.
---
🤖 Generated with AI-agent involvement.
132 lines
4.9 KiB
YAML
132 lines
4.9 KiB
YAML
# Backfill PR labels on all open PRs.
|
|
#
|
|
# Manual-only workflow that applies the same labels as pr_labeler.yml
|
|
# (size, file, title, contributor classification) to existing open PRs.
|
|
# Reuses shared logic from .github/scripts/pr-labeler.js.
|
|
|
|
name: "🏷️ PR Labeler Backfill"
|
|
|
|
on:
|
|
workflow_dispatch:
|
|
inputs:
|
|
max_items:
|
|
description: "Maximum number of open PRs to process"
|
|
default: "100"
|
|
type: string
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
jobs:
|
|
backfill:
|
|
if: github.repository_owner == 'langchain-ai'
|
|
runs-on: ubuntu-latest
|
|
permissions:
|
|
contents: read
|
|
pull-requests: write
|
|
issues: write
|
|
|
|
steps:
|
|
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v6
|
|
|
|
- name: Generate GitHub App token
|
|
id: app-token
|
|
uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3
|
|
with:
|
|
client-id: ${{ secrets.ORG_MEMBERSHIP_APP_CLIENT_ID }}
|
|
private-key: ${{ secrets.ORG_MEMBERSHIP_APP_PRIVATE_KEY }}
|
|
|
|
- name: Backfill labels on open PRs
|
|
uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
|
|
with:
|
|
github-token: ${{ steps.app-token.outputs.token }}
|
|
script: |
|
|
const { owner, repo } = context.repo;
|
|
const rawMax = '${{ inputs.max_items }}';
|
|
const maxItems = parseInt(rawMax, 10);
|
|
if (isNaN(maxItems) || maxItems <= 0) {
|
|
core.setFailed(`Invalid max_items: "${rawMax}" — must be a positive integer`);
|
|
return;
|
|
}
|
|
|
|
const { h } = require('./.github/scripts/pr-labeler.js').loadAndInit(github, owner, repo, core);
|
|
|
|
for (const name of [...h.sizeLabels, ...h.tierLabels]) {
|
|
await h.ensureLabel(name);
|
|
}
|
|
|
|
const contributorCache = new Map();
|
|
const fileRules = h.buildFileRules();
|
|
|
|
const prs = await github.paginate(github.rest.pulls.list, {
|
|
owner, repo, state: 'open', per_page: 100,
|
|
});
|
|
|
|
let processed = 0;
|
|
let failures = 0;
|
|
for (const pr of prs) {
|
|
if (processed >= maxItems) break;
|
|
try {
|
|
const author = pr.user.login;
|
|
const info = await h.getContributorInfo(contributorCache, author, pr.user.type);
|
|
const labels = new Set();
|
|
|
|
labels.add(info.isExternal ? 'external' : 'internal');
|
|
if (info.isExternal && info.mergedCount != null && info.mergedCount >= h.trustedThreshold) {
|
|
labels.add('trusted-contributor');
|
|
} else if (info.isExternal && info.mergedCount === 0) {
|
|
labels.add('new-contributor');
|
|
}
|
|
|
|
// Size + file labels
|
|
const files = await github.paginate(github.rest.pulls.listFiles, {
|
|
owner, repo, pull_number: pr.number, per_page: 100,
|
|
});
|
|
const { sizeLabel } = h.computeSize(files);
|
|
labels.add(sizeLabel);
|
|
|
|
for (const label of h.matchFileLabels(files, fileRules)) {
|
|
labels.add(label);
|
|
}
|
|
|
|
// Title labels
|
|
const { labels: titleLabels } = h.matchTitleLabels(pr.title ?? '');
|
|
for (const tl of titleLabels) labels.add(tl);
|
|
|
|
// Ensure all labels exist before batch add
|
|
for (const name of labels) {
|
|
await h.ensureLabel(name);
|
|
}
|
|
|
|
// Remove stale managed labels
|
|
const currentLabels = (await github.paginate(
|
|
github.rest.issues.listLabelsOnIssue,
|
|
{ owner, repo, issue_number: pr.number, per_page: 100 },
|
|
)).map(l => l.name ?? '');
|
|
|
|
const managed = [...h.sizeLabels, ...h.tierLabels, ...h.allTypeLabels];
|
|
for (const name of currentLabels) {
|
|
if (managed.includes(name) && !labels.has(name)) {
|
|
try {
|
|
await github.rest.issues.removeLabel({
|
|
owner, repo, issue_number: pr.number, name,
|
|
});
|
|
} catch (e) {
|
|
if (e.status !== 404) throw e;
|
|
}
|
|
}
|
|
}
|
|
|
|
await github.rest.issues.addLabels({
|
|
owner, repo, issue_number: pr.number, labels: [...labels],
|
|
});
|
|
console.log(`PR #${pr.number} (${author}): ${[...labels].join(', ')}`);
|
|
processed++;
|
|
} catch (e) {
|
|
failures++;
|
|
core.warning(`Failed to process PR #${pr.number}: ${e.message}`);
|
|
}
|
|
}
|
|
|
|
console.log(`\nBackfill complete. Processed ${processed} PRs, ${failures} failures. ${contributorCache.size} unique authors.`);
|