rocm-systems/.github/workflows/pr-auto-label.yml

# Auto Label PR
# -------------
# This GitHub Actions workflow automatically adds or removes labels on a pull request
# based on a custom Python script that analyzes the PR content and paths.
#
# Steps:
#   - Run pr_category_label.py to determine which category labels to add/remove
#   - Update labels on the PR using GitHub CLI (gh)
#   - Check if the PR creator is a member of the specified organization and add/remove labels accordingly

name: Auto Label PR

on:
  pull_request_target:
    types:
      - opened
      - synchronize
      - reopened
      - ready_for_review
    branches:
      - 'develop'
      - 'staging'
      - 'main'
      - 'release-staging/rocm-rel-7.*'
    # Ignore changes to top-level files and directories
    # that are not part of the subtree structure
    paths-ignore:
      - '.github/**'
      - 'docs/**'
      - '*.md'

# ensure that the workflow is not running for the same PR multiple times at once
concurrency:
  group: pr-auto-label-${{ github.event.pull_request.number || github.run_id }}
  cancel-in-progress: false

env:
  ORG_TO_CHECK: ROCm
  ORG_LABEL: "organization: ROCm"
  EXTERNAL_LABEL: "external contribution"

jobs:
  auto-label-pr:
    runs-on: ubuntu-24.04
    steps:
      - name: Generate GitHub App token (only for branch PRs)
        id: generate-token
        if: ${{ !github.event.pull_request.head.repo.fork }}
        uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e # v2.0.6
        with:
          app-id: ${{ secrets.APP_ID }}
          private-key: ${{ secrets.APP_PRIVATE_KEY }}
          owner: ${{ github.repository_owner }}

      - name: Checkout workflows
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          ref: refs/pull/${{ github.event.pull_request.number }}/merge
          sparse-checkout: '.github'
          token: ${{ github.event.pull_request.head.repo.fork && secrets.GITHUB_TOKEN || steps.generate-token.outputs.token }}

      - name: Set up Python
        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
        with:
          python-version: '3.12'

      - name: Install python dependencies
        run: |
          python -m pip install --upgrade pip
          pip install pydantic requests

      - name: Set up Git user
        run: |
          git config user.name "systems-assistant[bot]"
          git config user.email "systems-assistant[bot]@users.noreply.github.com"

      - name: Compute Category Labels for PR
        id: compute_labels
        env:
          # this env clause gets repeated, but it is safer than echo'ing secrets in the workflow
          GH_TOKEN: ${{ github.event.pull_request.head.repo.fork && secrets.GITHUB_TOKEN || steps.generate-token.outputs.token }}
        run: |
          python .github/scripts/pr_category_label.py \
            --repo ${{ github.repository }} \
            --pr ${{ github.event.pull_request.number }}

      - name: Update labels
        env:
          # this env clause gets repeated, but it is safer than echo'ing secrets in the workflow
          GH_TOKEN: ${{ github.event.pull_request.head.repo.fork && secrets.GITHUB_TOKEN || steps.generate-token.outputs.token }}
        run: |
          if [ -n "${{ steps.compute_labels.outputs.label_add }}" ]; then
            gh pr edit "${{ github.event.pull_request.number }}" --add-label "${{ steps.compute_labels.outputs.label_add }}"
          fi

      - name: Check if PR creator is in org or collaborator and label accordingly
        env:
          # this env clause gets repeated, but it is safer than echo'ing secrets in the workflow
          GH_TOKEN: ${{ github.event.pull_request.head.repo.fork && secrets.GITHUB_TOKEN || steps.generate-token.outputs.token }}
        run: |
          if gh pr view "${{ github.event.pull_request.number }}" --json labels -q '.labels[].name' | grep -qFx "imported pr"; then
            echo "Skipping org membership labeling for imported pull request."
            exit 0
          fi

          PR_USER=$(gh pr view "${{ github.event.pull_request.number }}" --json author -q .author.login)

          if [ "${{ github.event.pull_request.head.repo.fork }}" = true ]; then
            # For fork PRs: check if user has any collaborator permission on the repo
            PERMISSION=$(gh api repos/${{ github.repository }}/collaborators/$PR_USER/permission --jq '.permission')
            if [ "$PERMISSION" = "admin" ] || [ "$PERMISSION" = "write" ] || [ "$PERMISSION" = "maintain" ]; then
              gh pr edit "${{ github.event.pull_request.number }}" --add-label "${{ env.ORG_LABEL }}"
            else
              gh pr edit "${{ github.event.pull_request.number }}" --add-label "${{ env.EXTERNAL_LABEL }}"
            fi
          else
            # For branch PRs (non-forks): check org membership via GitHub App token
            if gh api orgs/${{ env.ORG_TO_CHECK }}/members/$PR_USER --silent; then
              gh pr edit "${{ github.event.pull_request.number }}" --add-label "${{ env.ORG_LABEL }}"
            else
              gh pr edit "${{ github.event.pull_request.number }}" --add-label "${{ env.EXTERNAL_LABEL }}"
            fi
          fi