Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
38 changes: 29 additions & 9 deletions .github/workflows/survey-on-merged-pr.yml
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,17 @@ name: Survey on Merged PR by Non-Member

on:
workflow_call:
inputs:
client_id:
description: >-
Client ID of the caller repository's OTELBOT app. Used to mint an
installation token that can comment on PRs and check org membership.
required: true
type: string
secrets:
private_key:
description: PEM private key for the OTELBOT app referenced by client_id.
required: true

permissions: {}

Expand All @@ -13,22 +24,31 @@ jobs:
comment-on-pr:
name: Add survey to PR if author is not a member
runs-on: ubuntu-latest
permissions:
pull-requests: write # for gh pr comment
if: >-
github.event.pull_request.merged == true &&
github.repository_owner == 'open-telemetry' &&
github.event.pull_request.user.type != 'Bot' &&
github.event.pull_request.author_association != 'MEMBER' &&
github.event.pull_request.author_association != 'OWNER' &&
github.event.pull_request.author_association != 'COLLABORATOR'
github.event.pull_request.user.type != 'Bot'
steps:
- name: Add survey comment
- uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
id: otelbot-token
with:
client-id: ${{ inputs.client_id }}
private-key: ${{ secrets.private_key }}
permission-pull-requests: write # for 'gh pr comment ...'
permission-members: read # for 'gh api orgs/$ORG/members/$USERNAME'

- name: Add survey comment if author is not an org member
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
REPO: ${{ github.repository }}
GH_TOKEN: ${{ steps.otelbot-token.outputs.token }}
USERNAME: ${{ github.event.pull_request.user.login }}
REPO: ${{ github.repository }}
ORG: ${{ github.repository_owner }}
PR_NUMBER: ${{ github.event.pull_request.number }}
run: |
set -euo pipefail
if gh api "orgs/$ORG/members/$USERNAME" --silent; then
echo "Skipping survey for org member: $USERNAME"
exit 0
fi
echo "Adding survey comment for external contributor: $USERNAME"
gh pr comment "$PR_NUMBER" --repo "$REPO" --body "Thank you for your contribution @${USERNAME}! 🎉 We would like to hear from you about your experience contributing to OpenTelemetry by taking a few minutes to fill out this [survey](${SURVEY_URL})."
22 changes: 15 additions & 7 deletions survey-on-merged-pr/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -26,20 +26,28 @@ permissions: {}

jobs:
survey:
permissions:
pull-requests: write # required by the shared workflow to post the survey comment
uses: open-telemetry/shared-workflows/.github/workflows/survey-on-merged-pr.yml@<sha-or-tag>
with:
client_id: ${{ vars.OTELBOT_CLIENT_ID }}
secrets:
private_key: ${{ secrets.OTELBOT_PRIVATE_KEY }}
```

Pin `<sha-or-tag>` to a commit SHA or release tag in this repository. No inputs, no secrets — the workflow uses the built-in `GITHUB_TOKEN` and posts as `github-actions[bot]`.
Pin `<sha-or-tag>` to a commit SHA or release tag in this repository. Substitute the variable/secret names on the right-hand sides to match whatever your repo uses.

## Required permissions
The `zizmor: ignore[dangerous-triggers]` inline comment on the `pull_request_target:` line is only relevant if your repo runs [zizmor](https://github.com/zizmorcore/zizmor); it silences the false-positive finding since this caller doesn't check out any PR-controlled code — it just invokes the shared workflow which itself operates entirely through the GitHub API.

The caller's job-level `permissions:` block **must** grant `pull-requests: write`. The shared workflow needs it to post the survey comment via `gh pr comment`.
## Inputs

A [reusable workflow cannot elevate its own permissions beyond what the caller grants](https://docs.github.com/en/actions/using-workflows/reusing-workflows), so a caller job without `pull-requests: write` will fail with a permission error when the comment step runs.
| Input | Required | Type | Description |
| --- | --- | --- | --- |
| `client_id` | yes | `string` | OTELBOT app Client ID for the caller repo. Pass the value of your `OTELBOT_CLIENT_ID`-style variable. |

The `zizmor: ignore[dangerous-triggers]` inline comment on the `pull_request_target:` line is only relevant if your repo runs [zizmor](https://github.com/zizmorcore/zizmor); it silences the false-positive finding since this caller doesn't check out any PR-controlled code — it just invokes the shared workflow which itself operates entirely through the GitHub API.
## Secrets

| Secret | Required | Description |
| --- | --- | --- |
| `private_key` | yes | PEM private key for the OTELBOT app referenced by `client_id`. |

## Behavior notes

Expand Down