geckon01/local-deep-research
1
0
Fork 0
mirror of https://github.com/LearningCircuit/local-deep-research.git synced 2026-06-15 19:46:56 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
ba0912056c5b78bf2c8a1fb15eef202d72fec401
local-deep-research/.github/workflows/labels-sync.yml
LearningCircuit d8034e27a4 feat(ci): declarative label set for PR triage (1/5) (#3857) 
* feat(ci): introduce declarative labels for PR triage

Add .github/labels.yml + labels-sync.yml workflow (EndBug/label-sync@v2)
managing 7 new labels for PR triage: 4 persistent (external-contributor,
first-time-contributor, bot, needs-rework) and 3 lifecycle
(needs-codeowner-review, awaiting-author, awaiting-codeowner) that will
be toggled per-PR by a follow-up workflow.

Sync is additive (delete-other-labels: false) so the existing 75
labels are not touched. Workflow runs only on push to main when
labels.yml changes, plus workflow_dispatch for manual sync.

First PR of a 5-PR series introducing PR triage automation.

* fix(ci): pin actions and harden labels-sync workflow

Adds the missing contents:read permission (without it, actions/checkout
fails because explicit permissions: zeroes out unspecified scopes).
Brings the workflow into line with repo conventions used by every other
label/issues-write workflow:

- SHA-pin actions/checkout (v6.0.2), step-security/harden-runner (v2.19.1),
  and EndBug/label-sync (v2.3.3); enforced by validate-image-pinning.yml.
- Add harden-runner first step with egress-policy: audit (matches 54/57
  workflows including label-fixed-in-dev.yml).
- Move permissions to job scope; top-level permissions: {} for OSSF Scorecard.
- Add timeout-minutes: 5 (matches label-fixed-in-dev.yml).
- Use sparse-checkout for labels.yml only with persist-credentials: false.
- Document the deliberate omission of concurrency: (regression #3554/#3599).
2026-05-08 21:50:01 +02:00

47 lines
1.6 KiB
YAML
Raw Blame History

name: Sync repo labels
# Declaratively syncs labels listed in .github/labels.yml.
# Additive only: labels not listed here are left untouched (delete-other-labels: false).
# Lifecycle labels (needs-codeowner-review, awaiting-author, awaiting-codeowner) are
# created by this workflow but toggled per-PR by .github/workflows/pr-triage.yml.
on:
push:
branches: [main]
paths:
- '.github/labels.yml'
- '.github/workflows/labels-sync.yml'
workflow_dispatch:
# No concurrency group — intentionally omitted, matching .github/workflows/label-fixed-in-dev.yml.
# Previous attempts (#3554, reverted #3599) showed that cancel-in-progress on label workflows
# kills useful in-flight runs. Sync is idempotent so concurrent runs are safe.
permissions: {} # Minimal top-level for OSSF Scorecard Token-Permissions
jobs:
sync-labels:
runs-on: ubuntu-latest
timeout-minutes: 5
permissions:
contents: read
issues: write
steps:
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1
with:
egress-policy: audit
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
sparse-checkout: .github/labels.yml
sparse-checkout-cone-mode: false
- name: Sync labels
uses: EndBug/label-sync@52074158190acb45f3077f9099fea818aa43f97a # v2.3.3
with:
config-file: .github/labels.yml
delete-other-labels: false
Reference in New Issue View Git Blame Copy Permalink