Merge branch 'main' into graphql-schema-update

Author: rachmari

.github/actions-scripts/fr-add-docs-reviewers-requests.js

@@ -84,7 +84,7 @@ async function run() {
       !pr.isDraft &&
       !pr.labels.nodes.find((label) => label.name === 'Deploy train 🚂') &&
       pr.reviewRequests.nodes.find(
-        (requestedReviewers) => requestedReviewers.requestedReviewer.name === process.env.REVIEWER
+        (requestedReviewers) => requestedReviewers.requestedReviewer?.name === process.env.REVIEWER
       ) &&
       !pr.reviews.nodes
         .flatMap((review) => review.onBehalfOf.nodes)

.github/actions-scripts/projects.js

@@ -114,6 +114,29 @@ export async function isDocsTeamMember(login) {
   return teamMembers.includes(login)
 }
 
+// Given a GitHub login, returns a bool indicating
+// whether the login is part of the GitHub org
+export async function isGitHubOrgMember(login) {
+  const data = await graphql(
+    `
+      query {
+        user(login: "${login}") {
+          organization(login: "github"){
+            name
+          }
+        }
+      }
+    `,
+    {
+      headers: {
+        authorization: `token ${process.env.TOKEN}`,
+      },
+    }
+  )
+
+  return Boolean(data.user.organization)
+}
+
 // Formats a date object into the required format for projects
 export function formatDateForProject(date) {
   return date.getFullYear() + '-' + (date.getMonth() + 1) + '-' + date.getDate()
@@ -246,6 +269,7 @@ export default {
   addItemsToProject,
   addItemToProject,
   isDocsTeamMember,
+  isGitHubOrgMember,
   findFieldID,
   findSingleSelectID,
   formatDateForProject,

.github/actions-scripts/ready-for-docs-review.js

@@ -3,6 +3,7 @@ import { graphql } from '@octokit/graphql'
 import {
   addItemToProject,
   isDocsTeamMember,
+  isGitHubOrgMember,
   findFieldID,
   findSingleSelectID,
   generateUpdateProjectNextItemFieldMutation,
@@ -178,9 +179,12 @@ async function run() {
   let contributorType
   if (await isDocsTeamMember(process.env.AUTHOR_LOGIN)) {
     contributorType = docsMemberTypeID
+  } else if (await isGitHubOrgMember(process.env.AUTHOR_LOGIN)) {
+    contributorType = hubberTypeID
   } else if (process.env.REPO === 'github/docs') {
     contributorType = osContributorTypeID
   } else {
+    // use hubber as the fallback so that the PR doesn't get lost on the board
     contributorType = hubberTypeID
   }
 

.github/allowed-actions.js

@@ -31,8 +31,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579
-      - uses: github/codeql-action/init@v1
+      - uses: github/codeql-action/init@5f532563584d71fdef14ee64d17bafb34f751ce5
         with:
           languages: javascript # comma separated list of values from {go, python, javascript, java, cpp, csharp} (not YET ruby, sorry!)
-      - uses: github/codeql-action/analyze@v1
+      - uses: github/codeql-action/analyze@5f532563584d71fdef14ee64d17bafb34f751ce5
         continue-on-error: true

.github/workflows/codeql.yml

@@ -113,7 +113,6 @@ jobs:
         uses: repo-sync/github-sync@3832fe8e2be32372e1b3970bbae8e7079edeec88
         env:
           GITHUB_TOKEN: ${{ secrets.OCTOMERGER_PAT_WITH_REPO_AND_WORKFLOW_SCOPE }}
-          CI: true
         with:
           source_repo: ${{ secrets.SOURCE_REPO }} # https://${access_token}@github.com/github/the-other-repo.git
           source_branch: main

.github/workflows/repo-sync.yml

@@ -6,16 +6,16 @@ name: Staging - Build and Deploy PR (fast and private-only)
 
 # This whole workflow is only guaranteed to be secure in the *private
 # repo* and because we repo-sync these files over the to the public one,
-# IT'S CRUCIALLY IMPORTANT THAT THIS WORKFLOW IS ONLY ENABLED IN docs-internal!
+# IT'S IMPORTANT THAT THIS WORKFLOW IS ONLY ENABLED IN docs-internal!
 
 on:
-  # Ideally, we'd like to use 'pull_request' because we can more easily
-  # test changes to this workflow without relying on merges to 'main'.
-  # But this is guaranteed to be safer and won't have the problem of
-  # necessary secrets not being available.
-  # Perhaps some day when we're confident this workflow will always
-  # work in a regular PR, we can switch to that.
-  pull_request_target:
+  # The advantage of 'pull_request' over 'pull_request_target' is that we
+  # can make changes to this file and test them in a pull request, instead
+  # of relying on landing it in 'main' first.
+  # From a security point of view, its arguably safer this way because
+  # unlike 'pull_request_target', these only have secrets if the pull
+  # request creator has permission to access secrets.
+  pull_request:
 
 permissions:
   actions: read

.github/workflows/staging-build-and-deploy-pr.yml

@@ -20,9 +20,6 @@ concurrency:
   group: '${{ github.workflow }} @ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}'
   cancel-in-progress: true
 
-env:
-  CI: true
-
 jobs:
   test:
     runs-on: windows-latest

.github/workflows/test-windows.yml

@@ -20,9 +20,6 @@ concurrency:
   group: '${{ github.workflow }} @ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}'
   cancel-in-progress: true
 
-env:
-  CI: true
-
 jobs:
   test:
     # Run on self-hosted if the private repo or ubuntu-latest if the public repo

.github/workflows/test.yml

@@ -175,7 +175,8 @@ runs:
 
 ### `pre-if`
 
-**Optional** Allows you to define conditions for the `pre:` action execution. The `pre:` action will only run if the conditions in `pre-if` are met. If not set, then `pre-if` defaults to `always()`.
+**Optional** Allows you to define conditions for the `pre:` action execution. The `pre:` action will only run if the conditions in `pre-if` are met. If not set, then `pre-if` defaults to `always()`. In `pre-if`, status check functions evaluate against the job's status, not the action's own status.
+
 Note that the `step` context is unavailable, as no steps have run yet.
 
 In this example, `cleanup.js` only runs on Linux-based runners:
@@ -202,7 +203,7 @@ The `post:` action always runs by default but you can override this using `post-
 
 ### `post-if`
 
-**Optional** Allows you to define conditions for the `post:` action execution. The `post:` action will only run if the conditions in `post-if` are met. If not set, then `post-if` defaults to `always()`.
+**Optional** Allows you to define conditions for the `post:` action execution. The `post:` action will only run if the conditions in `post-if` are met. If not set, then `post-if` defaults to `always()`. In `post-if`, status check functions evaluate against the job's status, not the action's own status.
 
 For example, this `cleanup.js` will only run on Linux-based runners:
 
@@ -265,6 +266,35 @@ For more information, see "[`github context`](/actions/reference/context-and-exp
 **Required** The shell where you want to run the command. You can use any of the shells listed [here](/actions/reference/workflow-syntax-for-github-actions#jobsjob_idstepsshell). Required if `run` is set.
 {% endif %}
 
+#### `runs.steps[*].if`
+
+**Optional** You can use the `if` conditional to prevent a step from running unless a condition is met. You can use any supported context and expression to create a conditional.
+
+{% data reusables.github-actions.expression-syntax-if %} For more information, see "[Expressions](/actions/learn-github-actions/expressions)."
+
+**Example: Using contexts**
+
+ This step only runs when the event type is a `pull_request` and the event action is `unassigned`.
+
+ ```yaml
+steps:
+  - run: echo This event is a pull request that had an assignee removed.
+    if: {% raw %}${{ github.event_name == 'pull_request' && github.event.action == 'unassigned' }}{% endraw %}
+```
+
+**Example: Using status check functions**
+
+The `my backup step` only runs when the previous step of a composite action fails. For more information, see "[Expressions](/actions/learn-github-actions/expressions#job-status-check-functions)."
+
+```yaml
+steps:
+  - name: My first step
+    uses: octo-org/action-name@main
+  - name: My backup step
+    if: {% raw %}${{ failure() }}{% endraw %}
+    uses: actions/heroku@1.0.0
+```
+
 #### `runs.steps[*].name`
 
 **Optional** The name of the composite step.