From 8d85008ff65dd9bd67a1006d2ccc46bebe4e85e9 Mon Sep 17 00:00:00 2001 From: Olivier Mehani Date: Wed, 17 Dec 2025 13:51:30 +1100 Subject: [PATCH 1/5] fixup! Bug 2001552 - close-pr: Allow specific teams to make PR for specific subdirectories DOT_GITHUB_OVERRIDE r=zeid --- .github/workflows/pr-handler.yml | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/.github/workflows/pr-handler.yml b/.github/workflows/pr-handler.yml index 9124bf373c321..036350a953d67 100644 --- a/.github/workflows/pr-handler.yml +++ b/.github/workflows/pr-handler.yml @@ -1,8 +1,12 @@ -name: Close Pull Request +name: Handle Pull Request on: pull_request_target: types: [opened, reopened] +permissions: + issues: write + pull-requests: write + env: ALLOWED_TEAM: lando-github-pilot ALLOWED_PATHS: | @@ -18,8 +22,9 @@ jobs: GH_TOKEN: ${{ github.token }} GH_REPO: ${{ github.repository }} AUTHOR: ${{ github.event.pull_request.user.login }} + ALLOWED_TEAM: ${{ env.ALLOWED_TEAM }} run: | - ORG="${GITHUB_REPO/\/*/}" + ORG="${GH_REPO/\/*/}" if gh api "/orgs/${ORG}/teams/${ALLOWED_TEAM}/memberships/${AUTHOR}" --silent 2>/dev/null; then echo "is_member=true" >> $GITHUB_OUTPUT else @@ -33,7 +38,6 @@ jobs: GH_TOKEN: ${{ github.token }} GH_REPO: ${{ github.repository }} PR: ${{ github.event.pull_request.number }} - ALLOWED_TEAM: ${{ env.ALLOWED_TEAM }} ALLOWED_PATHS: ${{ env.ALLOWED_PATHS }} run: | PATTERN=$(echo "${ALLOWED_PATHS}" | xargs | tr ' ' '|') @@ -53,6 +57,7 @@ jobs: gh pr close "${PR}" --comment "(Automated Close) Please do not file pull requests here, see https://firefox-source-docs.mozilla.org/contributing/how_to_submit_a_patch.html" gh pr lock "${PR}" + # Make this a separate job with a correct name when the PR-closer is no longer needed. - name: Add Lando link if: (steps.team.outputs.is_member == 'true' || steps.paths.outputs.only_allowed == 'true') && github.event.action == 'opened' env: From 5897ae971f150345b0349ffc9d50af3b6f6178e4 Mon Sep 17 00:00:00 2001 From: Olivier Mehani Date: Tue, 9 Dec 2025 13:47:09 +1100 Subject: [PATCH 2/5] workflows: Use actions/create-github-app-token to get a GH_TOKEN with org access Workflows don't get access to organisation metadata via the GITHUB_TOKEN. We use the Lando Web App to obtain a token with sufficient permissions. This requires var.LANDO_WEB_APP_ID [0] and secrets.LANDO_WEB_APP_PRIVATE_KEY [1] to be set adequately in the repository settings. The app needs Organizations/Members read permission. [0] https://github.com/mozilla-conduit/ff-test/settings/variables/actions [1] https://github.com/mozilla-conduit/ff-test/settings/secrets/actions --- .github/workflows/pr-handler.yml | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/.github/workflows/pr-handler.yml b/.github/workflows/pr-handler.yml index 036350a953d67..8eaa2f3bfc09e 100644 --- a/.github/workflows/pr-handler.yml +++ b/.github/workflows/pr-handler.yml @@ -16,10 +16,20 @@ jobs: close-pr: runs-on: ubuntu-latest steps: + + # Workflows don't get access to organisation metadata via the GITHUB_TOKEN. + # We use the Lando Web App to obtain a token with sufficient permissions. + - name: Generate a token + id: generate-token + uses: actions/create-github-app-token@v2 + with: + app-id: ${{ vars.LANDO_WEB_APP_ID }} + private-key: ${{ secrets.LANDO_WEB_APP_PRIVATE_KEY }} + - name: Check team membership id: team env: - GH_TOKEN: ${{ github.token }} + GH_TOKEN: ${{ steps.generate-token.outputs.token }} GH_REPO: ${{ github.repository }} AUTHOR: ${{ github.event.pull_request.user.login }} ALLOWED_TEAM: ${{ env.ALLOWED_TEAM }} From 2d30234aed5318176ba69a9c0ffc42aeb149fcb8 Mon Sep 17 00:00:00 2001 From: Olivier Mehani Date: Wed, 17 Dec 2025 13:50:10 +1100 Subject: [PATCH 3/5] fixup! Bug 2001552, Bug 1996664 - pr-handler: Add Lando link to allowed PRs r=zeid DOT_GITHUB_OVERRIDE --- .github/workflows/pr-handler.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pr-handler.yml b/.github/workflows/pr-handler.yml index 8eaa2f3bfc09e..85d00b2984afb 100644 --- a/.github/workflows/pr-handler.yml +++ b/.github/workflows/pr-handler.yml @@ -69,7 +69,7 @@ jobs: # Make this a separate job with a correct name when the PR-closer is no longer needed. - name: Add Lando link - if: (steps.team.outputs.is_member == 'true' || steps.paths.outputs.only_allowed == 'true') && github.event.action == 'opened' + if: (steps.team.outputs.is_member == 'true' && steps.paths.outputs.only_allowed == 'true') && github.event.action == 'opened' env: GH_TOKEN: ${{ github.token }} GH_REPO: ${{ github.repository }} From b2592df584b455004ffad44d730afda3a75fe703 Mon Sep 17 00:00:00 2001 From: Olivier Mehani Date: Tue, 9 Dec 2025 12:37:23 +1100 Subject: [PATCH 4/5] workflows: printf debugging --- .github/workflows/pr-handler.yml | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/.github/workflows/pr-handler.yml b/.github/workflows/pr-handler.yml index 85d00b2984afb..d64f38c3b5f0e 100644 --- a/.github/workflows/pr-handler.yml +++ b/.github/workflows/pr-handler.yml @@ -3,9 +3,9 @@ on: pull_request_target: types: [opened, reopened] -permissions: - issues: write - pull-requests: write +# permissions: +# issues: write +# pull-requests: write env: ALLOWED_TEAM: lando-github-pilot @@ -34,8 +34,9 @@ jobs: AUTHOR: ${{ github.event.pull_request.user.login }} ALLOWED_TEAM: ${{ env.ALLOWED_TEAM }} run: | + set -x ORG="${GH_REPO/\/*/}" - if gh api "/orgs/${ORG}/teams/${ALLOWED_TEAM}/memberships/${AUTHOR}" --silent 2>/dev/null; then + if gh api "/orgs/${ORG}/teams/${ALLOWED_TEAM}/memberships/${AUTHOR}"; then echo "is_member=true" >> $GITHUB_OUTPUT else echo "is_member=false" >> $GITHUB_OUTPUT From a993f63e95f818ab9ae20c3b38ce0f3283be75dc Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 17 Dec 2025 03:11:50 +0000 Subject: [PATCH 5/5] Bump lodash Bumps [lodash](https://github.com/lodash/lodash) from 4.17.5 to 4.17.21. - [Release notes](https://github.com/lodash/lodash/releases) - [Commits](https://github.com/lodash/lodash/compare/4.17.5...4.17.21) --- updated-dependencies: - dependency-name: lodash dependency-version: 4.17.21 dependency-type: direct:production ... Signed-off-by: dependabot[bot] --- .../addon/content/pages/custom/debugger/app/package.json | 2 +- .../addon/content/pages/custom/debugger/app/yarn.lock | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/testing/talos/talos/tests/devtools/addon/content/pages/custom/debugger/app/package.json b/testing/talos/talos/tests/devtools/addon/content/pages/custom/debugger/app/package.json index ab53149a83730..8d70e40504ca3 100644 --- a/testing/talos/talos/tests/devtools/addon/content/pages/custom/debugger/app/package.json +++ b/testing/talos/talos/tests/devtools/addon/content/pages/custom/debugger/app/package.json @@ -8,7 +8,7 @@ "eslint-loader": "1.9.0", "eslint-plugin-flowtype": "2.39.1", "immutable": "^3.8.2", - "lodash": "^4.17.5", + "lodash": "^4.17.21", "react": "^16.2.0", "react-dom": "^16.2.0", "react-scripts": "1.0.17" diff --git a/testing/talos/talos/tests/devtools/addon/content/pages/custom/debugger/app/yarn.lock b/testing/talos/talos/tests/devtools/addon/content/pages/custom/debugger/app/yarn.lock index afb8e0aeacf2a..a4756dff2a2e2 100644 --- a/testing/talos/talos/tests/devtools/addon/content/pages/custom/debugger/app/yarn.lock +++ b/testing/talos/talos/tests/devtools/addon/content/pages/custom/debugger/app/yarn.lock @@ -3940,9 +3940,9 @@ lodash.uniq@^4.5.0: version "4.5.0" resolved "https://registry.yarnpkg.com/lodash.uniq/-/lodash.uniq-4.5.0.tgz#d0225373aeb652adc1bc82e4945339a842754773" -"lodash@>=3.5 <5", lodash@^4.14.0, lodash@^4.15.0, lodash@^4.17.2, lodash@^4.17.3, lodash@^4.17.4, lodash@^4.17.5, lodash@^4.3.0: - version "4.17.5" - resolved "https://registry.yarnpkg.com/lodash/-/lodash-4.17.5.tgz#99a92d65c0272debe8c96b6057bc8fbfa3bed511" +"lodash@>=3.5 <5", lodash@^4.14.0, lodash@^4.15.0, lodash@^4.17.2, lodash@^4.17.21, lodash@^4.17.3, lodash@^4.17.4, lodash@^4.3.0: + version "4.17.21" + resolved "https://registry.yarnpkg.com/lodash/-/lodash-4.17.21.tgz#679591c564c3bffaae8454cf0b3df370c3d6911c" loglevel@^1.4.1: version "1.6.0"