Files
podman/.github/workflows/issue_pr_lock.yml
Byounguk Lee 32f987fc8c ci: restrict specific workflows to the upstream repository
Many GitHub Actions workflows currently trigger on user forks, leading to
unnecessary CI resource consumption, unwanted bot behavior, and inevitable
failures. This commit restricts these specific workflows to only run on the
primary `containers/podman` repository.

The restricted workflows fall into two main categories:
1. Require Custom Upstream Secrets: Workflows like `release`, `mac-pkg`,
   `cherry-pick`, and `dev-bump` rely on secrets (e.g., Apple/Azure certs,
   PODMANBOT_TOKEN, ACTION_MAIL_*) that are unavailable in forks.
2. Manage Upstream Tracker State: Workflows like `assign`, `stale`, and
   `labeler` are intended strictly for managing the primary project's
   issues and PRs. Running them on personal forks creates unwanted noise.

Additionally, refactored several complex `if` conditions using YAML
multi-line strings (`|`) to maintain and improve readability.

Signed-off-by: Byounguk Lee <nimdrak@gmail.com>
2026-06-18 11:32:53 +00:00

87 lines
3.2 KiB
YAML

---
# WARNING ALERT DANGER CAUTION ATTENTION: This file is reused from the
# `main` branch, by workflows in (at least) the Buildah and Skopeo repos.
# Please think twice before making large changes, renaming, or moving the file.
# Format ref: https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions
name: "Lock closed issues and PRs"
on:
schedule:
- cron: '0 0 * * *'
# Allow reuse of this workflow by other repositories
# Ref: https://docs.github.com/en/actions/using-workflows/reusing-workflows
workflow_call:
secrets:
STALE_LOCKING_APP_PRIVATE_KEY:
required: true
ACTION_MAIL_SERVER:
required: true
ACTION_MAIL_USERNAME:
required: true
ACTION_MAIL_PASSWORD:
required: true
ACTION_MAIL_SENDER:
required: true
# Debug: Allow triggering job manually in github-actions WebUI
workflow_dispatch: {}
permissions:
contents: read
concurrency:
group: lock
env:
# Number of days before a closed issue/PR is be comment-locked.
# Note: dessant/lock-threads will only process a max. of
# 50 issues/PRs at a time.
CLOSED_DAYS: 90
# Pre-created issue/PR label to add (preferably a bright color).
# This is intended to direct a would-be commenter's actions.
LOCKED_LABEL: 'locked - please file new issue/PR'
jobs:
manage_locking:
if: github.repository == 'podman-container-tools/podman'
runs-on: ubuntu-latest
permissions:
issues: write
pull-requests: write
steps:
# Use dedicated github app to workaround API rate limiting
# Ref: https://docs.github.com/en/apps/creating-github-apps/authenticating-with-a-github-app/making-authenticated-api-requests-with-a-github-app-in-a-github-actions-workflow
- name: Obtain Stale Locking App token
id: generate-token
uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
with:
# N/B: These are both defined at the containers-org level
app-id: ${{ vars.STALE_LOCKING_APP_ID }}
private-key: ${{ secrets.STALE_LOCKING_APP_PRIVATE_KEY }}
# Ref: https://github.com/dessant/lock-threads#usage
- uses: dessant/lock-threads@7266a7ce5c1df01b1c6db85bf8cd86c737dadbe7 # v6.0.0
with:
github-token: '${{ steps.generate-token.outputs.token }}'
process-only: 'issues, prs'
issue-inactive-days: '${{env.CLOSED_DAYS}}'
pr-inactive-days: '${{env.CLOSED_DAYS}}'
add-issue-labels: '${{env.LOCKED_LABEL}}'
add-pr-labels: '${{env.LOCKED_LABEL}}'
pr-lock-reason: 'resolved'
log-output: true
- if: failure()
name: Send job failure notification e-mail
uses: dawidd6/action-send-mail@42942bc2f8fba4e611b459a018967a6a7c78c68c # v17
with:
server_address: ${{secrets.ACTION_MAIL_SERVER}}
server_port: 465
username: ${{secrets.ACTION_MAIL_USERNAME}}
password: ${{secrets.ACTION_MAIL_PASSWORD}}
subject: Github workflow error on ${{github.repository}}
to: podman-monitor@lists.podman.io
from: ${{secrets.ACTION_MAIL_SENDER}}
body: "Job failed: https://github.com/${{github.repository}}/actions/runs/${{github.run_id}}"