1+ name : Label external pull requests
2+
3+ on :
4+ pull_request_target :
5+ types : [opened, reopened]
6+
7+ # Minimal permissions required to read repo metadata and add labels
8+ permissions :
9+ pull-requests : write
10+ contents : read
11+
12+ jobs :
13+ label-external :
14+ runs-on : ubuntu-latest
15+ steps :
16+ - name : Label PRs from contributors without write access
17+ uses : actions/github-script@v6
18+ with :
19+ github-token : ${{ secrets.GITHUB_TOKEN }}
20+ script : |
21+ const pr = context.payload.pull_request;
22+ if (!pr) {
23+ console.log('No pull_request payload found - nothing to do.');
24+ return;
25+ }
26+
27+ const owner = context.repo.owner;
28+ const repo = context.repo.repo;
29+ const username = pr.user && pr.user.login;
30+ if (!username) {
31+ console.log('PR author not found - exiting.');
32+ return;
33+ }
34+
35+ const privileged = ['admin', 'maintain', 'write'];
36+
37+ try {
38+ const resp = await github.rest.repos.getCollaboratorPermissionLevel({
39+ owner,
40+ repo,
41+ username
42+ });
43+ const permission = resp.data && resp.data.permission;
44+ console.log(`User ${username} permission: ${permission}`);
45+
46+ if (!privileged.includes(permission)) {
47+ console.log(`Adding 'external' label to PR #${pr.number}`);
48+ await github.rest.issues.addLabels({
49+ owner,
50+ repo,
51+ issue_number: pr.number,
52+ labels: ['external']
53+ });
54+ } else {
55+ console.log(`User ${username} has write or higher permission (${permission}) - skipping label.`);
56+ }
57+ } catch (err) {
58+ // 404 typically means the user is not a collaborator
59+ if (err.status === 404) {
60+ console.log(`User ${username} is not a collaborator - adding 'external' label`);
61+ await github.rest.issues.addLabels({
62+ owner,
63+ repo,
64+ issue_number: pr.number,
65+ labels: ['external']
66+ });
67+ }
0 commit comments