diff --git a/.github/workflows/survey-on-merged-pr.yml b/.github/workflows/survey-on-merged-pr.yml index dbf27a13f..db1c7aec6 100644 --- a/.github/workflows/survey-on-merged-pr.yml +++ b/.github/workflows/survey-on-merged-pr.yml @@ -3,6 +3,17 @@ name: Survey on Merged PR by Non-Member on: workflow_call: + inputs: + client_id: + description: >- + Client ID of the caller repository's OTELBOT app. Used to mint an + installation token that can comment on PRs and check org membership. + required: true + type: string + secrets: + private_key: + description: PEM private key for the OTELBOT app referenced by client_id. + required: true permissions: {} @@ -13,22 +24,31 @@ jobs: comment-on-pr: name: Add survey to PR if author is not a member runs-on: ubuntu-latest - permissions: - pull-requests: write # for gh pr comment if: >- github.event.pull_request.merged == true && github.repository_owner == 'open-telemetry' && - github.event.pull_request.user.type != 'Bot' && - github.event.pull_request.author_association != 'MEMBER' && - github.event.pull_request.author_association != 'OWNER' && - github.event.pull_request.author_association != 'COLLABORATOR' + github.event.pull_request.user.type != 'Bot' steps: - - name: Add survey comment + - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0 + id: otelbot-token + with: + client-id: ${{ inputs.client_id }} + private-key: ${{ secrets.private_key }} + permission-pull-requests: write # for 'gh pr comment ...' + permission-members: read # for 'gh api orgs/$ORG/members/$USERNAME' + + - name: Add survey comment if author is not an org member env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - REPO: ${{ github.repository }} + GH_TOKEN: ${{ steps.otelbot-token.outputs.token }} USERNAME: ${{ github.event.pull_request.user.login }} + REPO: ${{ github.repository }} + ORG: ${{ github.repository_owner }} PR_NUMBER: ${{ github.event.pull_request.number }} run: | set -euo pipefail + if gh api "orgs/$ORG/members/$USERNAME" --silent; then + echo "Skipping survey for org member: $USERNAME" + exit 0 + fi + echo "Adding survey comment for external contributor: $USERNAME" gh pr comment "$PR_NUMBER" --repo "$REPO" --body "Thank you for your contribution @${USERNAME}! 🎉 We would like to hear from you about your experience contributing to OpenTelemetry by taking a few minutes to fill out this [survey](${SURVEY_URL})." diff --git a/survey-on-merged-pr/README.md b/survey-on-merged-pr/README.md index b4202d1cb..6746bcb85 100644 --- a/survey-on-merged-pr/README.md +++ b/survey-on-merged-pr/README.md @@ -26,20 +26,28 @@ permissions: {} jobs: survey: - permissions: - pull-requests: write # required by the shared workflow to post the survey comment uses: open-telemetry/shared-workflows/.github/workflows/survey-on-merged-pr.yml@ + with: + client_id: ${{ vars.OTELBOT_CLIENT_ID }} + secrets: + private_key: ${{ secrets.OTELBOT_PRIVATE_KEY }} ``` -Pin `` to a commit SHA or release tag in this repository. No inputs, no secrets — the workflow uses the built-in `GITHUB_TOKEN` and posts as `github-actions[bot]`. +Pin `` to a commit SHA or release tag in this repository. Substitute the variable/secret names on the right-hand sides to match whatever your repo uses. -## Required permissions +The `zizmor: ignore[dangerous-triggers]` inline comment on the `pull_request_target:` line is only relevant if your repo runs [zizmor](https://github.com/zizmorcore/zizmor); it silences the false-positive finding since this caller doesn't check out any PR-controlled code — it just invokes the shared workflow which itself operates entirely through the GitHub API. -The caller's job-level `permissions:` block **must** grant `pull-requests: write`. The shared workflow needs it to post the survey comment via `gh pr comment`. +## Inputs -A [reusable workflow cannot elevate its own permissions beyond what the caller grants](https://docs.github.com/en/actions/using-workflows/reusing-workflows), so a caller job without `pull-requests: write` will fail with a permission error when the comment step runs. +| Input | Required | Type | Description | +| --- | --- | --- | --- | +| `client_id` | yes | `string` | OTELBOT app Client ID for the caller repo. Pass the value of your `OTELBOT_CLIENT_ID`-style variable. | -The `zizmor: ignore[dangerous-triggers]` inline comment on the `pull_request_target:` line is only relevant if your repo runs [zizmor](https://github.com/zizmorcore/zizmor); it silences the false-positive finding since this caller doesn't check out any PR-controlled code — it just invokes the shared workflow which itself operates entirely through the GitHub API. +## Secrets + +| Secret | Required | Description | +| --- | --- | --- | +| `private_key` | yes | PEM private key for the OTELBOT app referenced by `client_id`. | ## Behavior notes