Fix changes requested action for fork branches#16148
Conversation
The pull_request_review event doesn't provide repository secrets for fork PRs, causing the GitHub App token generation to fail. This change splits the review handling into a two-workflow pattern: 1. pr-review-trigger.yml: Lightweight trigger on pull_request_review that saves review info as artifacts (no secrets needed) 2. pr-automation.yml: Handles the workflow_run event from the trigger, downloads artifacts, and manages labels with full secret access Co-authored-by: yash-learner <53794102+yash-learner@users.noreply.github.com>
Deploying care-preview with
|
| Latest commit: |
d8d26e3
|
| Status: | ✅ Deploy successful! |
| Preview URL: | https://e6a57f1b.care-preview-a7w.pages.dev |
| Branch Preview URL: | https://copilot-fix-changes-requeste.care-preview-a7w.pages.dev |
Co-authored-by: yash-learner <53794102+yash-learner@users.noreply.github.com>
|
@yash-learner Status? |
Need to review and test, myself Will try to get it ready for review by Monday |
🎭 Playwright Test ResultsStatus: ⏭️ Skipped No test-related files were changed in this PR. Tests are skipped when changes don't affect:
Run: #8280 |
There was a problem hiding this comment.
Your free trial has ended. If you'd like to continue receiving code reviews, you can add a payment method here.
| jobs: | ||
| assign-pr: | ||
| runs-on: ubuntu-24.04-arm | ||
| # Skip workflow for PRs created by bots |
There was a problem hiding this comment.
Probably we should run this workflow for bots as well because we are opening PR's with copilot as author
Let;s handle this in a separate PR, later
There was a problem hiding this comment.
Pull request overview
This PR fixes PR label automation for forked PRs by moving “changes requested” handling out of the pull_request_review workflow context (which lacks repo secrets on forks) and into a base-repo workflow_run follow-up that can safely access secrets.
Changes:
- Added a lightweight
pull_request_reviewworkflow that records review metadata to an artifact only when the review state ischanges_requested. - Updated the main PR automation workflow to trigger review-label handling via
workflow_runof the new trigger workflow (with an explicit artifact existence check). - Scoped existing PR assignment automation to only run on
pull_request_targetevents, and addedactions: readpermission to support cross-workflow artifact download.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
.github/workflows/pr-review-trigger.yml |
Adds a minimal review-submitted trigger that uploads PR number + review state as an artifact for changes_requested. |
.github/workflows/pr-automation.yml |
Switches review handling to workflow_run, downloads/validates artifact data, and applies the “changes required” label using an app token. |
| - name: Upload review info | ||
| uses: actions/upload-artifact@v4 | ||
| with: | ||
| name: review-info |
There was a problem hiding this comment.
Consider setting a short retention-days for the review-info artifact (similar to other ephemeral artifacts in this repo) to avoid accumulating artifacts for every changes_requested review over time.
| name: review-info | |
| name: review-info | |
| retention-days: 1 |
✅ Deploy Preview for care-ohc ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
| exit 1 | ||
| fi | ||
|
|
||
| if [[ "$REVIEW_STATE" != "changes_requested" && "$REVIEW_STATE" != "approved" && "$REVIEW_STATE" != "commented" && "$REVIEW_STATE" != "dismissed" ]]; then |
There was a problem hiding this comment.
I can't find much on possible values of github.event.review.state 🤔 (they really should have better documentation for this!) but seems fine.
|
@nihal467 this looks fine |
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: yash-learner <53794102+yash-learner@users.noreply.github.com>
* [ENG-314] Show all medication administration reports in drug chart (ohcnetwork#16355) * Fix: Reset role search query on dropdown close (ohcnetwork#16124) * Fix logo handling in Print Preview (ohcnetwork#16217) * Complete Encounter Without Dependency on Appointment and Token (ohcnetwork#15688) * Remove facilityOrg.setup.ts - now handled by backend fixtures (ohcnetwork#16360) * ENG-338 feat: add store internal type and inventory view functionality (ohcnetwork#16364) * Make Payment sheet url accessible in Account & Invoice (ohcnetwork#16337) * Fix: Responsibilities Page: Fixed Mobile Clear Button (ohcnetwork#16276) * Fix changes requested action for fork branches (ohcnetwork#16148) Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: yash-learner <53794102+yash-learner@users.noreply.github.com> * Plugin Integration: Feedback + Complaint Management --------- Co-authored-by: Muhammed Sawad <sawadmuhammedpm@gmail.com> Co-authored-by: Bodhish Thomas <bodhish@gmail.com> Co-authored-by: Deep <244596472+Deepcode007@users.noreply.github.com> Co-authored-by: Yaswanth Kumar Bethu <yash.topaz@gmail.com> Co-authored-by: Nikhila C <115739037+NikhilA8606@users.noreply.github.com> Co-authored-by: Mohammed Nihal <57055998+nihal467@users.noreply.github.com> Co-authored-by: Abhimanyu Rajeesh <63541653+abhimanyurajeesh@users.noreply.github.com> Co-authored-by: Amjith Titus <amjithtitus09@gmail.com> Co-authored-by: Pranav Rustagi <pranav.rutagi@egovernments.org> Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com> Co-authored-by: yash-learner <53794102+yash-learner@users.noreply.github.com>
* [ENG-314] Show all medication administration reports in drug chart (ohcnetwork#16355) * Fix: Reset role search query on dropdown close (ohcnetwork#16124) * Fix logo handling in Print Preview (ohcnetwork#16217) * Complete Encounter Without Dependency on Appointment and Token (ohcnetwork#15688) * Remove facilityOrg.setup.ts - now handled by backend fixtures (ohcnetwork#16360) * ENG-338 feat: add store internal type and inventory view functionality (ohcnetwork#16364) * Make Payment sheet url accessible in Account & Invoice (ohcnetwork#16337) * Fix: Responsibilities Page: Fixed Mobile Clear Button (ohcnetwork#16276) * Fix changes requested action for fork branches (ohcnetwork#16148) Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: yash-learner <53794102+yash-learner@users.noreply.github.com> * Plugin Integration: Feedback + Complaint Management --------- Co-authored-by: Muhammed Sawad <sawadmuhammedpm@gmail.com> Co-authored-by: Bodhish Thomas <bodhish@gmail.com> Co-authored-by: Deep <244596472+Deepcode007@users.noreply.github.com> Co-authored-by: Yaswanth Kumar Bethu <yash.topaz@gmail.com> Co-authored-by: Nikhila C <115739037+NikhilA8606@users.noreply.github.com> Co-authored-by: Mohammed Nihal <57055998+nihal467@users.noreply.github.com> Co-authored-by: Abhimanyu Rajeesh <63541653+abhimanyurajeesh@users.noreply.github.com> Co-authored-by: Amjith Titus <amjithtitus09@gmail.com> Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com> Co-authored-by: yash-learner <53794102+yash-learner@users.noreply.github.com>
Proposed Changes
Tested similar dummy workflow here
-> yash-learner/test_actions#7, -> Fork
-> yash-learner/test_actions#8 -> Base
As we can't test these workflows before merging into main
Proposed Changes
pull_request_reviewevents don't receive repository secrets for fork PRs, soactions/create-github-app-tokenfails withappId option is requiredsincesecrets.APP_IDis empty.Fix: use the
workflow_runpattern to decouple the review event (no secrets needed) from the label management (secrets needed)..github/workflows/pr-review-trigger.yml: Lightweight workflow onpull_request_review: submittedthat saves PR number + review state as artifacts. Needs no secrets, runs withpermissions: {}..github/workflows/pr-automation.yml:pull_request_reviewtrigger withworkflow_run: ["PR Review Trigger"](always runs in base repo context → has secrets)assign-prjob topull_request_targetevents onlyhandle-reviewjob: pre-checks artifact existence viagh api(nocontinue-on-error), validates inputs (numeric PR number, known review state allowlist), generates app token, manages labelscontinue-on-error: true— missing artifact (non-changes_requestedreviews) logs a clear message and skips gracefully; real failures (permissions, network) now fail loudlyactions: readpermission for cross-workflow artifact downloadTagging: @ohcnetwork/care-fe-code-reviewers
Merge Checklist
Original prompt
📱 Kick off Copilot coding agent tasks wherever you are with GitHub Mobile, available on iOS and Android.