From 09e03b33622a598dd6507a32efa2448a7e00695e Mon Sep 17 00:00:00 2001
From: Olivier Mehani <omehani@mozilla.com>
Date: Fri, 5 Dec 2025 15:33:42 +1100
Subject: [PATCH 01/10] Bug 2001552 - No bug - close-pr: don't use GitHub
 variables in run sections DOT_GITHUB_OVERRIDE r=zeid

Differential Revision: https://phabricator.services.mozilla.com/D275166
---
 .github/workflows/close-pr.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/close-pr.yml b/.github/workflows/close-pr.yml
index 85b6eb8b1dec0..d187e927a579b 100644
--- a/.github/workflows/close-pr.yml
+++ b/.github/workflows/close-pr.yml
@@ -13,5 +13,5 @@ jobs:
           GH_REPO: ${{ github.repository }}
           PR: ${{ github.event.pull_request.number }}
         run: |
-          gh pr close ${{ env.PR }} --comment "(Automated Close) Please do not file pull requests here, see https://firefox-source-docs.mozilla.org/contributing/how_to_submit_a_patch.html"
-          gh pr lock ${{ env.PR }}
+          gh pr close "${PR}" --comment "(Automated Close) Please do not file pull requests here, see https://firefox-source-docs.mozilla.org/contributing/how_to_submit_a_patch.html"
+          gh pr lock "${PR}"

From df7926436a83c960cd9abd21c581b3dd41b1fe7f Mon Sep 17 00:00:00 2001
From: Olivier Mehani <omehani@mozilla.com>
Date: Fri, 5 Dec 2025 15:45:30 +1100
Subject: [PATCH 02/10] Bug 2001552 - close-pr: Allow specific teams to make PR
 for specific subdirectories DOT_GITHUB_OVERRIDE r=zeid

Differential Revision: https://phabricator.services.mozilla.com/D275167
---
 .github/workflows/close-pr.yml | 35 ++++++++++++++++++++++++++++++++++
 1 file changed, 35 insertions(+)

diff --git a/.github/workflows/close-pr.yml b/.github/workflows/close-pr.yml
index d187e927a579b..f7f9f1ba4bd50 100644
--- a/.github/workflows/close-pr.yml
+++ b/.github/workflows/close-pr.yml
@@ -3,11 +3,46 @@ on:
   pull_request_target:
     types: [opened, reopened]
 
+env:
+  ALLOWED_TEAM: lando-github-pilot
+  ALLOWED_PATHS: |
+    mobile/
+
 jobs:
   close-pr:
     runs-on: ubuntu-latest
     steps:
+      - name: Check team membership
+        id: team
+        env:
+          GH_TOKEN: ${{ github.token }}
+          GH_REPO: ${{ github.repository }}
+          AUTHOR: ${{ github.event.pull_request.user.login }}
+        run: |
+          ORG=$(echo ${GH_REPO} | cut -d'/' -f1)
+          if gh api "/orgs/${ORG}/teams/${ALLOWED_TEAM}/memberships/${AUTHOR}" --silent 2>/dev/null; then
+            echo "is_member=true" >> $GITHUB_OUTPUT
+          else
+            echo "is_member=false" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Check allowed paths
+        id: paths
+        if: steps.team.outputs.is_member == 'true'
+        env:
+          GH_TOKEN: ${{ github.token }}
+          GH_REPO: ${{ github.repository }}
+          PR: ${{ github.event.pull_request.number }}
+        run: |
+          PATTERN=$(echo "${ALLOWED_PATHS}" | xargs | tr ' ' '|')
+          if gh pr view ${PR} --json files --jq '.files[].path' | grep -vE "^(${PATTERN})"; then
+            echo "only_allowed=false" >> $GITHUB_OUTPUT
+          else
+            echo "only_allowed=true" >> $GITHUB_OUTPUT
+          fi
+
       - name: Close PR
+        if: steps.team.outputs.is_member != 'true' || steps.paths.outputs.only_allowed != 'true'
         env:
           GH_TOKEN: ${{ github.token }}
           GH_REPO: ${{ github.repository }}

From ae0b85923783c44f1fbf5b10ed1642a7242127b0 Mon Sep 17 00:00:00 2001
From: Olivier Mehani <omehani@mozilla.com>
Date: Fri, 5 Dec 2025 16:17:48 +1100
Subject: [PATCH 03/10] Bug 2001552, Bug 1996664 - pr-handler: Add Lando link
 to allowed PRs r=zeid DOT_GITHUB_OVERRIDE

Differential Revision: https://phabricator.services.mozilla.com/D275169
---
 .../{close-pr.yml => pr-handler.yml}          | 31 +++++++++++++++++--
 1 file changed, 29 insertions(+), 2 deletions(-)
 rename .github/workflows/{close-pr.yml => pr-handler.yml} (50%)

diff --git a/.github/workflows/close-pr.yml b/.github/workflows/pr-handler.yml
similarity index 50%
rename from .github/workflows/close-pr.yml
rename to .github/workflows/pr-handler.yml
index f7f9f1ba4bd50..9124bf373c321 100644
--- a/.github/workflows/close-pr.yml
+++ b/.github/workflows/pr-handler.yml
@@ -19,7 +19,7 @@ jobs:
           GH_REPO: ${{ github.repository }}
           AUTHOR: ${{ github.event.pull_request.user.login }}
         run: |
-          ORG=$(echo ${GH_REPO} | cut -d'/' -f1)
+          ORG="${GITHUB_REPO/\/*/}"
           if gh api "/orgs/${ORG}/teams/${ALLOWED_TEAM}/memberships/${AUTHOR}" --silent 2>/dev/null; then
             echo "is_member=true" >> $GITHUB_OUTPUT
           else
@@ -33,9 +33,11 @@ jobs:
           GH_TOKEN: ${{ github.token }}
           GH_REPO: ${{ github.repository }}
           PR: ${{ github.event.pull_request.number }}
+          ALLOWED_TEAM: ${{ env.ALLOWED_TEAM }}
+          ALLOWED_PATHS: ${{ env.ALLOWED_PATHS }}
         run: |
           PATTERN=$(echo "${ALLOWED_PATHS}" | xargs | tr ' ' '|')
-          if gh pr view ${PR} --json files --jq '.files[].path' | grep -vE "^(${PATTERN})"; then
+          if gh pr view "${PR}" --json files --jq '.files[].path' | grep -vE "^(${PATTERN})"; then
             echo "only_allowed=false" >> $GITHUB_OUTPUT
           else
             echo "only_allowed=true" >> $GITHUB_OUTPUT
@@ -50,3 +52,28 @@ jobs:
         run: |
           gh pr close "${PR}" --comment "(Automated Close) Please do not file pull requests here, see https://firefox-source-docs.mozilla.org/contributing/how_to_submit_a_patch.html"
           gh pr lock "${PR}"
+
+      - name: Add Lando link
+        if: (steps.team.outputs.is_member == 'true' || steps.paths.outputs.only_allowed == 'true') && github.event.action == 'opened'
+        env:
+          GH_TOKEN: ${{ github.token }}
+          GH_REPO: ${{ github.repository }}
+          PR: ${{ github.event.pull_request.number }}
+          #
+          # Set the following variables at the repository level [0].
+          # [0] https://docs.github.com/en/actions/how-tos/write-workflows/choose-what-workflows-do/use-variables#defining-configuration-variables-for-multiple-workflows
+          #
+          LANDO_BASE_URL: ${{ vars.LANDO_BASE_URL }}
+          LANDO_REPO: ${{ vars.LANDO_REPO }}
+          #
+          # If they are empty, the following will be used to determine sane defaults.
+          #
+          DEFAULT_LANDO_BASE_URL: https://lando.moz.tools
+          GITHUB_REPO: ${{ github.repository }}
+          TARGET_BRANCH: ${{ github.base_ref}}
+        run: |
+          LANDO_BASE_URL="${LANDO_BASE_URL:-${DEFAULT_LANDO_BASE_URL}}"
+          # We extract the GitHub repo name and target branch to use as
+          # default LANDO_REPO if unspecified.
+          LANDO_REPO="${LANDO_REPO:-${GITHUB_REPO/*\//}-${TARGET_BRANCH}}"
+          gh pr comment "${PR}" --body "[View this pull request in Lando](${LANDO_BASE_URL}/pulls/${LANDO_REPO}/${PR}) to land it once approved."

From 423d3b6ee6863c8548da33d565a929edb68b3195 Mon Sep 17 00:00:00 2001
From: Olivier Mehani <omehani@mozilla.com>
Date: Wed, 17 Dec 2025 13:54:12 +1100
Subject: [PATCH 04/10] CODEOWNERS: update for local tests

---
 CODEOWNERS | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/CODEOWNERS b/CODEOWNERS
index a4b78b29d8f21..e581f2bc6bd92 100644
--- a/CODEOWNERS
+++ b/CODEOWNERS
@@ -1 +1 @@
-/mobile/* @mozilla-firefox/android-reviewers
+/mobile/* @mozilla-conduit/lando-github-pilot-android-reviewers

From 8f50fbf4d3245d5cfbe8b66ee8ab77e53e0a8f04 Mon Sep 17 00:00:00 2001
From: Olivier Mehani <omehani@mozilla.com>
Date: Wed, 17 Dec 2025 13:51:30 +1100
Subject: [PATCH 05/10] fixup! Bug 2001552 - close-pr: Allow specific teams to
 make PR for specific subdirectories DOT_GITHUB_OVERRIDE r=zeid

---
 .github/workflows/pr-handler.yml | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/pr-handler.yml b/.github/workflows/pr-handler.yml
index 9124bf373c321..7ca63a1ca42bd 100644
--- a/.github/workflows/pr-handler.yml
+++ b/.github/workflows/pr-handler.yml
@@ -1,15 +1,19 @@
-name: Close Pull Request
+name: Handle Pull Request
 on:
   pull_request_target:
     types: [opened, reopened]
 
+permissions:
+  issues: write
+  pull-requests: write
+
 env:
   ALLOWED_TEAM: lando-github-pilot
   ALLOWED_PATHS: |
     mobile/
 
 jobs:
-  close-pr:
+  handle-pr:
     runs-on: ubuntu-latest
     steps:
       - name: Check team membership
@@ -18,8 +22,9 @@ jobs:
           GH_TOKEN: ${{ github.token }}
           GH_REPO: ${{ github.repository }}
           AUTHOR: ${{ github.event.pull_request.user.login }}
+          ALLOWED_TEAM: ${{ env.ALLOWED_TEAM }}
         run: |
-          ORG="${GITHUB_REPO/\/*/}"
+          ORG="${GH_REPO/\/*/}"
           if gh api "/orgs/${ORG}/teams/${ALLOWED_TEAM}/memberships/${AUTHOR}" --silent 2>/dev/null; then
             echo "is_member=true" >> $GITHUB_OUTPUT
           else
@@ -33,7 +38,6 @@ jobs:
           GH_TOKEN: ${{ github.token }}
           GH_REPO: ${{ github.repository }}
           PR: ${{ github.event.pull_request.number }}
-          ALLOWED_TEAM: ${{ env.ALLOWED_TEAM }}
           ALLOWED_PATHS: ${{ env.ALLOWED_PATHS }}
         run: |
           PATTERN=$(echo "${ALLOWED_PATHS}" | xargs | tr ' ' '|')
@@ -53,6 +57,7 @@ jobs:
           gh pr close "${PR}" --comment "(Automated Close) Please do not file pull requests here, see https://firefox-source-docs.mozilla.org/contributing/how_to_submit_a_patch.html"
           gh pr lock "${PR}"
 
+      # Make this a separate job with a correct name when the PR-closer is no longer needed.
       - name: Add Lando link
         if: (steps.team.outputs.is_member == 'true' || steps.paths.outputs.only_allowed == 'true') && github.event.action == 'opened'
         env:

From 8b6c6c0df46ffc9759852af2f7bf0f188b94211f Mon Sep 17 00:00:00 2001
From: Olivier Mehani <omehani@mozilla.com>
Date: Tue, 9 Dec 2025 13:47:09 +1100
Subject: [PATCH 06/10] workflows: Use actions/create-github-app-token to get a
 GH_TOKEN with org access

Workflows don't get access to organisation metadata via the
GITHUB_TOKEN. We use the Lando Web App to obtain a token with sufficient
permissions.

This requires var.LANDO_WEB_APP_ID [0] and
secrets.LANDO_WEB_APP_PRIVATE_KEY [1] to be set adequately in the
repository settings.

The app needs Organizations/Members read permission.

[0] https://github.com/mozilla-conduit/ff-test/settings/variables/actions
[1] https://github.com/mozilla-conduit/ff-test/settings/secrets/actions
---
 .github/workflows/pr-handler.yml | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/pr-handler.yml b/.github/workflows/pr-handler.yml
index 7ca63a1ca42bd..01d9bc80ad23e 100644
--- a/.github/workflows/pr-handler.yml
+++ b/.github/workflows/pr-handler.yml
@@ -16,10 +16,20 @@ jobs:
   handle-pr:
     runs-on: ubuntu-latest
     steps:
+
+      # Workflows don't get access to organisation metadata via the GITHUB_TOKEN.
+      # We use the Lando Web App to obtain a token with sufficient permissions.
+      - name: Generate a token
+        id: generate-token
+        uses: actions/create-github-app-token@v2
+        with:
+          app-id: ${{ vars.LANDO_WEB_APP_ID }}
+          private-key: ${{ secrets.LANDO_WEB_APP_PRIVATE_KEY }}
+
       - name: Check team membership
         id: team
         env:
-          GH_TOKEN: ${{ github.token }}
+          GH_TOKEN: ${{ steps.generate-token.outputs.token }}
           GH_REPO: ${{ github.repository }}
           AUTHOR: ${{ github.event.pull_request.user.login }}
           ALLOWED_TEAM: ${{ env.ALLOWED_TEAM }}

From ddf36f15ee613f627d5f5c069b3e7ae288780851 Mon Sep 17 00:00:00 2001
From: Olivier Mehani <omehani@mozilla.com>
Date: Wed, 17 Dec 2025 13:50:10 +1100
Subject: [PATCH 07/10] fixup! Bug 2001552, Bug 1996664 - pr-handler: Add Lando
 link to allowed PRs r=zeid DOT_GITHUB_OVERRIDE

---
 .github/workflows/pr-handler.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/pr-handler.yml b/.github/workflows/pr-handler.yml
index 01d9bc80ad23e..1fc77d699a14a 100644
--- a/.github/workflows/pr-handler.yml
+++ b/.github/workflows/pr-handler.yml
@@ -69,7 +69,7 @@ jobs:
 
       # Make this a separate job with a correct name when the PR-closer is no longer needed.
       - name: Add Lando link
-        if: (steps.team.outputs.is_member == 'true' || steps.paths.outputs.only_allowed == 'true') && github.event.action == 'opened'
+        if: (steps.team.outputs.is_member == 'true' && steps.paths.outputs.only_allowed == 'true') && github.event.action == 'opened'
         env:
           GH_TOKEN: ${{ github.token }}
           GH_REPO: ${{ github.repository }}

From 549d6318261931d582d50e4c73e8a11a0b297dfc Mon Sep 17 00:00:00 2001
From: Olivier Mehani <omehani@mozilla.com>
Date: Tue, 9 Dec 2025 12:37:23 +1100
Subject: [PATCH 08/10] workflows: printf debugging

---
 .github/workflows/pr-handler.yml | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/pr-handler.yml b/.github/workflows/pr-handler.yml
index 1fc77d699a14a..15e0dc9ad7ad9 100644
--- a/.github/workflows/pr-handler.yml
+++ b/.github/workflows/pr-handler.yml
@@ -3,9 +3,9 @@ on:
   pull_request_target:
     types: [opened, reopened]
 
-permissions:
-  issues: write
-  pull-requests: write
+# permissions:
+#   issues: write
+#   pull-requests: write
 
 env:
   ALLOWED_TEAM: lando-github-pilot
@@ -34,8 +34,9 @@ jobs:
           AUTHOR: ${{ github.event.pull_request.user.login }}
           ALLOWED_TEAM: ${{ env.ALLOWED_TEAM }}
         run: |
+          set -x
           ORG="${GH_REPO/\/*/}"
-          if gh api "/orgs/${ORG}/teams/${ALLOWED_TEAM}/memberships/${AUTHOR}" --silent 2>/dev/null; then
+          if gh api "/orgs/${ORG}/teams/${ALLOWED_TEAM}/memberships/${AUTHOR}"; then
             echo "is_member=true" >> $GITHUB_OUTPUT
           else
             echo "is_member=false" >> $GITHUB_OUTPUT

From d62335bed790d3eafac34754d71db4cc9d20f90e Mon Sep 17 00:00:00 2001
From: Olivier Mehani <omehani@mozilla.com>
Date: Tue, 9 Dec 2025 12:24:17 +1100
Subject: [PATCH 09/10] /: add test file

---
 test | 1 +
 1 file changed, 1 insertion(+)
 create mode 100644 test

diff --git a/test b/test
new file mode 100644
index 0000000000000..0d825ef93b0d4
--- /dev/null
+++ b/test
@@ -0,0 +1 @@
+5e566bfc-3557-4973-a1e4-5c34ebb5a555

From e2ee7c3283e1d3e8a120cc8f64c26def2471f8c9 Mon Sep 17 00:00:00 2001
From: Olivier Mehani <omehani@mozilla.com>
Date: Wed, 17 Dec 2025 14:03:51 +1100
Subject: [PATCH 10/10] mobile: a

---
 mobile/a | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 create mode 100644 mobile/a

diff --git a/mobile/a b/mobile/a
new file mode 100644
index 0000000000000..e69de29bb2d1d