From a9598b79652a41d16460180b25d5f6196730ca27 Mon Sep 17 00:00:00 2001 From: M-i-k-e-l Date: Mon, 5 Jan 2026 11:18:14 +0200 Subject: [PATCH 1/4] Add check for do not merge and update actions --- .github/workflows/block-merge-label-check.yml | 40 +++++++++++++++++++ .github/workflows/deployDocs.yml | 4 ++ .../workflows/label-waiting-for-response.yml | 4 ++ .github/workflows/pr-description-check.yml | 4 ++ 4 files changed, 52 insertions(+) create mode 100644 .github/workflows/block-merge-label-check.yml diff --git a/.github/workflows/block-merge-label-check.yml b/.github/workflows/block-merge-label-check.yml new file mode 100644 index 0000000000..64987bfed6 --- /dev/null +++ b/.github/workflows/block-merge-label-check.yml @@ -0,0 +1,40 @@ +name: Block Merge Label Check + +on: + pull_request: + types: [opened, synchronize, reopened, labeled, unlabeled] + +jobs: + check-do-not-merge-label: + runs-on: ubuntu-latest + name: Check Do Not Merge Label + + steps: + - name: Enable Corepack + run: corepack enable + - name: Security check (npq) + run: npx npq@3.15.4 install --pkgMgr yarn --dry-run + - name: Check for Do Not Merge label + uses: actions/github-script@v7 + with: + script: | + const prNumber = context.payload.pull_request.number; + console.log(`Checking labels for PR #${prNumber}...`); + + // Get all labels on the PR + const { data: labels } = await github.rest.issues.listLabelsOnIssue({ + owner: context.repo.owner, + repo: context.repo.repo, + issue_number: prNumber, + }); + + // Check if "Do Not Merge!" label exists + const doNotMergeLabel = labels.find(label => label.name === 'Do Not Merge!'); + + if (doNotMergeLabel) { + console.log('❌ Found "Do Not Merge!" label - blocking merge'); + core.setFailed('PR has "Do Not Merge!" label - cannot merge'); + } else { + console.log('✅ No "Do Not Merge!" label found - PR can be merged'); + } + diff --git a/.github/workflows/deployDocs.yml b/.github/workflows/deployDocs.yml index c2ec9be4a5..3d38ab9eff 100644 --- a/.github/workflows/deployDocs.yml +++ b/.github/workflows/deployDocs.yml @@ -13,6 +13,10 @@ jobs: contents: write # Needed for pushing to gh-pages steps: + - name: Enable Corepack + run: corepack enable + - name: Security check (npq) + run: npx npq@3.15.4 install --pkgMgr yarn --dry-run - name: Checkout repository uses: actions/checkout@v4 diff --git a/.github/workflows/label-waiting-for-response.yml b/.github/workflows/label-waiting-for-response.yml index 825bfec6f8..ea94efb085 100644 --- a/.github/workflows/label-waiting-for-response.yml +++ b/.github/workflows/label-waiting-for-response.yml @@ -19,6 +19,10 @@ jobs: github.event.issue.user.login != github.event.comment.user.login steps: + - name: Enable Corepack + run: corepack enable + - name: Security check (npq) + run: npx npq@3.15.4 install --pkgMgr yarn --dry-run - name: Check if commenter is maintainer id: check-maintainer uses: actions/github-script@v7 diff --git a/.github/workflows/pr-description-check.yml b/.github/workflows/pr-description-check.yml index 6c0cb7171f..0d4ff126ae 100644 --- a/.github/workflows/pr-description-check.yml +++ b/.github/workflows/pr-description-check.yml @@ -10,6 +10,10 @@ jobs: name: Validate PR Description steps: + - name: Enable Corepack + run: corepack enable + - name: Security check (npq) + run: npx npq@3.15.4 install --pkgMgr yarn --dry-run - name: Validate PR Description uses: actions/github-script@v7 with: From f4c668261d68060c83a8f3f7ca7dfa1eeaa0487b Mon Sep 17 00:00:00 2001 From: M-i-k-e-l Date: Mon, 5 Jan 2026 11:24:39 +0200 Subject: [PATCH 2/4] Use NPQ_PKG_MGR --- .github/workflows/block-merge-label-check.yml | 2 +- .github/workflows/deployDocs.yml | 2 +- .github/workflows/label-waiting-for-response.yml | 2 +- .github/workflows/pr-description-check.yml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/block-merge-label-check.yml b/.github/workflows/block-merge-label-check.yml index 64987bfed6..05a3010395 100644 --- a/.github/workflows/block-merge-label-check.yml +++ b/.github/workflows/block-merge-label-check.yml @@ -13,7 +13,7 @@ jobs: - name: Enable Corepack run: corepack enable - name: Security check (npq) - run: npx npq@3.15.4 install --pkgMgr yarn --dry-run + run: NPQ_PKG_MGR=yarn npx npq@3.15.4 install --dry-run - name: Check for Do Not Merge label uses: actions/github-script@v7 with: diff --git a/.github/workflows/deployDocs.yml b/.github/workflows/deployDocs.yml index 3d38ab9eff..42bc8aa223 100644 --- a/.github/workflows/deployDocs.yml +++ b/.github/workflows/deployDocs.yml @@ -16,7 +16,7 @@ jobs: - name: Enable Corepack run: corepack enable - name: Security check (npq) - run: npx npq@3.15.4 install --pkgMgr yarn --dry-run + run: NPQ_PKG_MGR=yarn npx npq@3.15.4 install --dry-run - name: Checkout repository uses: actions/checkout@v4 diff --git a/.github/workflows/label-waiting-for-response.yml b/.github/workflows/label-waiting-for-response.yml index ea94efb085..1a3794ca36 100644 --- a/.github/workflows/label-waiting-for-response.yml +++ b/.github/workflows/label-waiting-for-response.yml @@ -22,7 +22,7 @@ jobs: - name: Enable Corepack run: corepack enable - name: Security check (npq) - run: npx npq@3.15.4 install --pkgMgr yarn --dry-run + run: NPQ_PKG_MGR=yarn npx npq@3.15.4 install --dry-run - name: Check if commenter is maintainer id: check-maintainer uses: actions/github-script@v7 diff --git a/.github/workflows/pr-description-check.yml b/.github/workflows/pr-description-check.yml index 0d4ff126ae..0693e38e82 100644 --- a/.github/workflows/pr-description-check.yml +++ b/.github/workflows/pr-description-check.yml @@ -13,7 +13,7 @@ jobs: - name: Enable Corepack run: corepack enable - name: Security check (npq) - run: npx npq@3.15.4 install --pkgMgr yarn --dry-run + run: NPQ_PKG_MGR=yarn npx npq@3.15.4 install --dry-run - name: Validate PR Description uses: actions/github-script@v7 with: From bc231ee475fae991bfb2cde7889ed148112cd2d9 Mon Sep 17 00:00:00 2001 From: M-i-k-e-l Date: Wed, 7 Jan 2026 11:55:16 +0200 Subject: [PATCH 3/4] Install with npq --- .github/workflows/deployDocs.yml | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/.github/workflows/deployDocs.yml b/.github/workflows/deployDocs.yml index 42bc8aa223..92d4f9c34e 100644 --- a/.github/workflows/deployDocs.yml +++ b/.github/workflows/deployDocs.yml @@ -13,10 +13,6 @@ jobs: contents: write # Needed for pushing to gh-pages steps: - - name: Enable Corepack - run: corepack enable - - name: Security check (npq) - run: NPQ_PKG_MGR=yarn npx npq@3.15.4 install --dry-run - name: Checkout repository uses: actions/checkout@v4 @@ -27,7 +23,7 @@ jobs: cache: 'yarn' - name: Install dependencies - run: yarn install + run: NPQ_PKG_MGR=yarn npx npq install --immutable - name: Build documentation run: yarn docs:build @@ -42,7 +38,7 @@ jobs: git config --global user.email "github-actions[bot]@users.noreply.github.com" git config --global user.name "github-actions[bot]" cd docuilib - yarn install + NPQ_PKG_MGR=yarn npx npq install --immutable yarn deploy - name: Deploy disclaimer From 1802c146509e2a72dceaad28d89e0372c85b223c Mon Sep 17 00:00:00 2001 From: M-i-k-e-l Date: Thu, 8 Jan 2026 10:38:46 +0200 Subject: [PATCH 4/4] Pin actions to a full-length commit SHA --- .github/workflows/block-merge-label-check.yml | 6 +----- .github/workflows/deployDocs.yml | 4 ++-- .github/workflows/label-waiting-for-response.yml | 10 +++------- .github/workflows/pr-description-check.yml | 6 +----- 4 files changed, 7 insertions(+), 19 deletions(-) diff --git a/.github/workflows/block-merge-label-check.yml b/.github/workflows/block-merge-label-check.yml index 05a3010395..c43c45a7df 100644 --- a/.github/workflows/block-merge-label-check.yml +++ b/.github/workflows/block-merge-label-check.yml @@ -10,12 +10,8 @@ jobs: name: Check Do Not Merge Label steps: - - name: Enable Corepack - run: corepack enable - - name: Security check (npq) - run: NPQ_PKG_MGR=yarn npx npq@3.15.4 install --dry-run - name: Check for Do Not Merge label - uses: actions/github-script@v7 + uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7.1.0 with: script: | const prNumber = context.payload.pull_request.number; diff --git a/.github/workflows/deployDocs.yml b/.github/workflows/deployDocs.yml index 92d4f9c34e..e20809bab5 100644 --- a/.github/workflows/deployDocs.yml +++ b/.github/workflows/deployDocs.yml @@ -14,10 +14,10 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Setup Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version-file: '.nvmrc' cache: 'yarn' diff --git a/.github/workflows/label-waiting-for-response.yml b/.github/workflows/label-waiting-for-response.yml index 1a3794ca36..1786b4b44d 100644 --- a/.github/workflows/label-waiting-for-response.yml +++ b/.github/workflows/label-waiting-for-response.yml @@ -19,13 +19,9 @@ jobs: github.event.issue.user.login != github.event.comment.user.login steps: - - name: Enable Corepack - run: corepack enable - - name: Security check (npq) - run: NPQ_PKG_MGR=yarn npx npq@3.15.4 install --dry-run - name: Check if commenter is maintainer id: check-maintainer - uses: actions/github-script@v7 + uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7.1.0 with: script: | const response = await github.rest.repos.getCollaboratorPermissionLevel({ @@ -39,7 +35,7 @@ jobs: - name: Add waiting-for-response label if: steps.check-maintainer.outputs.result == 'true' - uses: actions/github-script@v7 + uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7.1.0 with: script: | await github.rest.issues.addLabels({ @@ -57,7 +53,7 @@ jobs: steps: - name: Process all open issues - uses: actions/github-script@v7 + uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7.1.0 with: script: | async function isMaintianer(username) { diff --git a/.github/workflows/pr-description-check.yml b/.github/workflows/pr-description-check.yml index 0693e38e82..0ec963b4bd 100644 --- a/.github/workflows/pr-description-check.yml +++ b/.github/workflows/pr-description-check.yml @@ -10,12 +10,8 @@ jobs: name: Validate PR Description steps: - - name: Enable Corepack - run: corepack enable - - name: Security check (npq) - run: NPQ_PKG_MGR=yarn npx npq@3.15.4 install --dry-run - name: Validate PR Description - uses: actions/github-script@v7 + uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7.1.0 with: script: | const prBody = context.payload.pull_request.body || '';