From 1ed01ca4a18ff0114fb90bc771a5020bdc436922 Mon Sep 17 00:00:00 2001 From: Jason Varga Date: Wed, 27 May 2026 18:07:26 -0400 Subject: [PATCH 1/9] concurrency stays on the local one --- workflows/zizmor.yml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/workflows/zizmor.yml b/workflows/zizmor.yml index 0a7513b..5bcec7c 100644 --- a/workflows/zizmor.yml +++ b/workflows/zizmor.yml @@ -5,10 +5,6 @@ on: permissions: {} -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true - jobs: zizmor: name: zizmor From b592ffc0091cf8f152c0693f97800ab3a3927040 Mon Sep 17 00:00:00 2001 From: Jason Varga Date: Wed, 27 May 2026 18:07:32 -0400 Subject: [PATCH 2/9] migrate from cms --- workflows/pr-title.yml | 65 ++++++++++++++++++++++++++++++++ workflows/pull-requests.yml | 74 +++++++++++++++++++++++++++++++++++++ workflows/stale.yml | 26 +++++++++++++ 3 files changed, 165 insertions(+) create mode 100644 workflows/pr-title.yml create mode 100644 workflows/pull-requests.yml create mode 100644 workflows/stale.yml diff --git a/workflows/pr-title.yml b/workflows/pr-title.yml new file mode 100644 index 0000000..d42050e --- /dev/null +++ b/workflows/pr-title.yml @@ -0,0 +1,65 @@ +name: Pull Request Title + +on: + workflow_call: + +permissions: {} + +jobs: + pr-title: + runs-on: ubuntu-latest + permissions: {} + steps: + - name: Validate PR title matches target branch + env: + PR_TITLE: ${{ github.event.pull_request.title }} + BASE_BRANCH: ${{ github.event.pull_request.base.ref }} + DEFAULT_BRANCH: ${{ github.event.repository.default_branch }} + run: | + # Validates PR title against target branch + # Returns error message if invalid, empty string if valid + validate_pr_title() { + local target_branch="$1" + local pr_title="$2" + local default_branch="$3" + + # Check if target branch is a version branch (e.g., 5.x, 4.x) + if [[ $target_branch =~ ^([0-9]+)\.x$ ]]; then + local version="${BASH_REMATCH[1]}" + if [[ ! $pr_title =~ ^\[$version\.x\][[:space:]] ]]; then + echo "PR targeting '$target_branch' must have title starting with '[$version.x] '" + return + fi + + # Check if target branch is master (next major version) + elif [[ $target_branch == "master" ]]; then + local current_version="${default_branch//\.x/}" + local next_version=$((current_version + 1)) + if [[ ! $pr_title =~ ^\[$next_version\.x\][[:space:]] ]]; then + echo "PR targeting 'master' must have title starting with '[$next_version.x] '" + return + fi + + # For other branches, just enforce that there's a version prefix + else + if [[ ! $pr_title =~ ^\[[0-9]+\.x\][[:space:]] ]]; then + echo "PR title must start with a version prefix like '[5.x] '" + return + fi + fi + + echo "" + } + + echo "PR Title: $PR_TITLE" + echo "Base Branch: $BASE_BRANCH" + echo "Default Branch: $DEFAULT_BRANCH" + + ERROR=$(validate_pr_title "$BASE_BRANCH" "$PR_TITLE" "$DEFAULT_BRANCH") + + if [[ -n $ERROR ]]; then + echo $ERROR + exit 1 + fi + + echo "PR title validation passed" diff --git a/workflows/pull-requests.yml b/workflows/pull-requests.yml new file mode 100644 index 0000000..20921c3 --- /dev/null +++ b/workflows/pull-requests.yml @@ -0,0 +1,74 @@ +name: Pull Requests + +# Credit: https://github.com/github/docs/blob/main/.github/workflows/notify-when-maintainers-cannot-edit.yaml +# https://github.com/laravel/.github/blob/main/.github/workflows/pull-requests.yml + +on: + workflow_call: + +permissions: {} + +jobs: + uneditable: + runs-on: ubuntu-latest + permissions: + pull-requests: write + steps: + - uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 + with: + script: | + const repo = context.repo.repo; + + const query = ` + query($number: Int!) { + repository(owner: "statamic", name: "${repo}") { + pullRequest(number: $number) { + headRepositoryOwner { + login + } + maintainerCanModify + state + } + } + } + `; + + const pullNumber = context.issue.number; + const variables = { number: pullNumber }; + + try { + console.log(`Check for maintainer edit access ...`); + const result = await github.graphql(query, variables); + console.log(JSON.stringify(result, null, 2)); + const pullRequest = result.repository.pullRequest; + + if (pullRequest.headRepositoryOwner.login === 'statamic') { + console.log('PR owned by statamic'); + return; + } + + if (pullRequest.state !== 'OPEN') { + console.log('PR has already been closed or merged'); + return; + } + + if (!pullRequest.maintainerCanModify) { + console.log('PR not owned by statamic and does not have maintainer edits enabled'); + + await github.rest.issues.createComment({ + issue_number: pullNumber, + owner: 'statamic', + repo, + body: "Thanks for submitting a PR!\n\nIn order to review and merge PRs most efficiently, we require that all PRs grant maintainer edit access before we review them. For information on how to do this, [see the relevant GitHub documentation](https://docs.github.com/en/github/collaborating-with-pull-requests/working-with-forks/allowing-changes-to-a-pull-request-branch-created-from-a-fork). Additionally, GitHub doesn't allow maintainer permissions from organization accounts. Please resubmit this PR from a personal GitHub account with maintainer permissions enabled." + }); + + await github.rest.pulls.update({ + pull_number: pullNumber, + owner: 'statamic', + repo, + state: 'closed' + }); + } + } catch(e) { + console.log(e); + } diff --git a/workflows/stale.yml b/workflows/stale.yml new file mode 100644 index 0000000..3014aa6 --- /dev/null +++ b/workflows/stale.yml @@ -0,0 +1,26 @@ +name: "Close stale issues" + +on: + workflow_call: + +permissions: {} + +jobs: + stale: + runs-on: ubuntu-latest + permissions: + issues: write + pull-requests: write + steps: + - uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f # v10.2.0 + with: + repo-token: ${{ secrets.GITHUB_TOKEN }} + days-before-stale: 60 + days-before-close: 7 + ascending: true + only-labels: 'needs more info' + stale-issue-label: stale + stale-issue-message: > + This issue has not had recent activity and has been marked as stale — by me, a robot. + Simply reply to keep it open and send me away. If you do nothing, I will close it in + a week. I have no feelings, so whatever you do is fine by me. From db2b5fff5a1bf40e1c455be879a3a428a05b6a10 Mon Sep 17 00:00:00 2001 From: Jason Varga Date: Thu, 28 May 2026 10:18:27 -0400 Subject: [PATCH 3/9] move to the right place --- {workflows => .github/workflows}/pr-title.yml | 0 {workflows => .github/workflows}/pull-requests.yml | 0 {workflows => .github/workflows}/stale.yml | 0 {workflows => .github/workflows}/zizmor.yml | 0 4 files changed, 0 insertions(+), 0 deletions(-) rename {workflows => .github/workflows}/pr-title.yml (100%) rename {workflows => .github/workflows}/pull-requests.yml (100%) rename {workflows => .github/workflows}/stale.yml (100%) rename {workflows => .github/workflows}/zizmor.yml (100%) diff --git a/workflows/pr-title.yml b/.github/workflows/pr-title.yml similarity index 100% rename from workflows/pr-title.yml rename to .github/workflows/pr-title.yml diff --git a/workflows/pull-requests.yml b/.github/workflows/pull-requests.yml similarity index 100% rename from workflows/pull-requests.yml rename to .github/workflows/pull-requests.yml diff --git a/workflows/stale.yml b/.github/workflows/stale.yml similarity index 100% rename from workflows/stale.yml rename to .github/workflows/stale.yml diff --git a/workflows/zizmor.yml b/.github/workflows/zizmor.yml similarity index 100% rename from workflows/zizmor.yml rename to .github/workflows/zizmor.yml From 4fa867264c4fc3d576dfc0d0287b13669d32050b Mon Sep 17 00:00:00 2001 From: Jason Varga Date: Thu, 28 May 2026 10:18:49 -0400 Subject: [PATCH 4/9] run on this repo too --- .github/workflows/zizmor.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml index 5bcec7c..7da8a49 100644 --- a/.github/workflows/zizmor.yml +++ b/.github/workflows/zizmor.yml @@ -2,6 +2,9 @@ name: GitHub Actions Security Analysis on: workflow_call: + push: + branches: ["**"] + pull_request: permissions: {} From 9841b458ab588c57e30f5e942f36803d1a54b4fc Mon Sep 17 00:00:00 2001 From: Jason Varga Date: Thu, 28 May 2026 10:31:58 -0400 Subject: [PATCH 5/9] these got dropped accidentally --- .github/workflows/pr-title.yml | 2 +- .github/workflows/pull-requests.yml | 2 +- .github/workflows/stale.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/pr-title.yml b/.github/workflows/pr-title.yml index d42050e..5dded9a 100644 --- a/.github/workflows/pr-title.yml +++ b/.github/workflows/pr-title.yml @@ -6,7 +6,7 @@ on: permissions: {} jobs: - pr-title: + pr-title: # zizmor: ignore[anonymous-definition] runs-on: ubuntu-latest permissions: {} steps: diff --git a/.github/workflows/pull-requests.yml b/.github/workflows/pull-requests.yml index 20921c3..25ca426 100644 --- a/.github/workflows/pull-requests.yml +++ b/.github/workflows/pull-requests.yml @@ -9,7 +9,7 @@ on: permissions: {} jobs: - uneditable: + uneditable: # zizmor: ignore[anonymous-definition] runs-on: ubuntu-latest permissions: pull-requests: write diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index 3014aa6..e907630 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -6,7 +6,7 @@ on: permissions: {} jobs: - stale: + stale: # zizmor: ignore[anonymous-definition] runs-on: ubuntu-latest permissions: issues: write From 00552bf9352175418c726708fbbd206aa5fe5a28 Mon Sep 17 00:00:00 2001 From: Jason Varga Date: Thu, 28 May 2026 10:33:00 -0400 Subject: [PATCH 6/9] fix indentation --- .github/workflows/stale.yml | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index e907630..ca5be12 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -12,15 +12,15 @@ jobs: issues: write pull-requests: write steps: - - uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f # v10.2.0 - with: - repo-token: ${{ secrets.GITHUB_TOKEN }} - days-before-stale: 60 - days-before-close: 7 - ascending: true - only-labels: 'needs more info' - stale-issue-label: stale - stale-issue-message: > - This issue has not had recent activity and has been marked as stale — by me, a robot. - Simply reply to keep it open and send me away. If you do nothing, I will close it in - a week. I have no feelings, so whatever you do is fine by me. + - uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f # v10.2.0 + with: + repo-token: ${{ secrets.GITHUB_TOKEN }} + days-before-stale: 60 + days-before-close: 7 + ascending: true + only-labels: 'needs more info' + stale-issue-label: stale + stale-issue-message: > + This issue has not had recent activity and has been marked as stale — by me, a robot. + Simply reply to keep it open and send me away. If you do nothing, I will close it in + a week. I have no feelings, so whatever you do is fine by me. From 9f7bfb6a2c7adafbbf6d1bc3359b1bffda902510 Mon Sep 17 00:00:00 2001 From: Jason Varga Date: Thu, 28 May 2026 10:46:07 -0400 Subject: [PATCH 7/9] concurrency doesnt stay - zizmor wants it. --- .github/workflows/zizmor.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml index 7da8a49..1eedf2a 100644 --- a/.github/workflows/zizmor.yml +++ b/.github/workflows/zizmor.yml @@ -8,6 +8,10 @@ on: permissions: {} +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + jobs: zizmor: name: zizmor From 22a9a407e243f56493d667b201f9d869cf5da5fd Mon Sep 17 00:00:00 2001 From: Jason Varga Date: Thu, 28 May 2026 10:46:18 -0400 Subject: [PATCH 8/9] permission comments were dropped accidentally --- .github/workflows/pull-requests.yml | 2 +- .github/workflows/stale.yml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/pull-requests.yml b/.github/workflows/pull-requests.yml index 25ca426..cd0903f 100644 --- a/.github/workflows/pull-requests.yml +++ b/.github/workflows/pull-requests.yml @@ -12,7 +12,7 @@ jobs: uneditable: # zizmor: ignore[anonymous-definition] runs-on: ubuntu-latest permissions: - pull-requests: write + pull-requests: write # post comment and close PRs that don't allow maintainer edits steps: - uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 with: diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index ca5be12..0045318 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -9,8 +9,8 @@ jobs: stale: # zizmor: ignore[anonymous-definition] runs-on: ubuntu-latest permissions: - issues: write - pull-requests: write + issues: write # mark issues stale and close them + pull-requests: write # mark pull requests stale and close them steps: - uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f # v10.2.0 with: From 2791bb50b68a7150eeadce267ee9c7fb40f8911f Mon Sep 17 00:00:00 2001 From: Jason Varga Date: Thu, 28 May 2026 11:28:28 -0400 Subject: [PATCH 9/9] drop pr permission. action is not configured for prs anyway. --- .github/workflows/stale.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index 0045318..f302601 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -10,7 +10,6 @@ jobs: runs-on: ubuntu-latest permissions: issues: write # mark issues stale and close them - pull-requests: write # mark pull requests stale and close them steps: - uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f # v10.2.0 with: