ci: stabilize anno apply/reject (event parsing + strict gating)

2026-03-02 11:10:53 +01:00
parent 901d28b89b
commit 7c8e49c1a9
2 changed files with 62 additions and 48 deletions
--- a/.gitea/workflows/anno-reject.yml
+++ b/.gitea/workflows/anno-reject.yml
@@ -22,6 +22,13 @@ concurrency:

 jobs:
  reject:
+    # ✅ Job ne se lance QUE si le label ajouté est state/rejected, ou si workflow_dispatch
+    if: >-
+      ${{
+        (github.event_name == 'issues' && github.event.action == 'labeled' && github.event.label.name == 'state/rejected')
+        || github.event_name == 'workflow_dispatch'
+      }}
+
    runs-on: mac-ci
    container:
      image: mcr.microsoft.com/devcontainers/javascript-node:22-bookworm
@@ -96,44 +103,34 @@ jobs:
            `REPO=${sh(repo)}`,
            `ISSUE_NUMBER=${sh(issueNumber)}`,
            `LABEL_NAME=${sh(labelName)}`,
-            `API_BASE=${sh(apiBase)}`
+            `API_BASE=${sh(apiBase)}`,
+            `SKIP=0`
          ].join("\n") + "\n");
          NODE

          echo "✅ context:"
          sed -n '1,120p' /tmp/reject.env

-      - name: Gate on label state/rejected only
-        run: |
-          set -euo pipefail
-          source /tmp/reject.env
-
-          if [[ "$LABEL_NAME" != "state/rejected" && "$LABEL_NAME" != "workflow_dispatch" ]]; then
-            echo "ℹ️ label=$LABEL_NAME => skip"
-            echo "SKIP=1" >> /tmp/reject.env
-            exit 0
-          fi
-          echo "✅ proceed (issue=$ISSUE_NUMBER)"
-
      - name: Comment + close (only if not conflicting with state/approved)
        env:
          FORGE_TOKEN: ${{ secrets.FORGE_TOKEN }}
        run: |
          set -euo pipefail
          source /tmp/reject.env
-          [[ "${SKIP:-0}" != "1" ]] || { echo "ℹ️ skipped"; exit 0; }

          test -n "${FORGE_TOKEN:-}" || { echo "❌ Missing secret FORGE_TOKEN"; exit 1; }
          test -n "${API_BASE:-}" || { echo "❌ Missing API_BASE"; exit 1; }

-          ISSUE_JSON="$(curl -fsS \
+          curl -fsS \
            -H "Authorization: token $FORGE_TOKEN" \
            -H "Accept: application/json" \
-            "$API_BASE/api/v1/repos/$OWNER/$REPO/issues/$ISSUE_NUMBER")"
+            "$API_BASE/api/v1/repos/$OWNER/$REPO/issues/$ISSUE_NUMBER" \
+            -o /tmp/issue.json

          # conflict guard: approved + rejected => do nothing, comment warning
-          node --input-type=module - <<'NODE' "$ISSUE_JSON" > /tmp/reject.flags
-          const issue = JSON.parse(process.argv[1] || "{}");
+          node --input-type=module <<'NODE' > /tmp/reject.flags
+          import fs from "node:fs";
+          const issue = JSON.parse(fs.readFileSync("/tmp/issue.json","utf8"));
          const labels = Array.isArray(issue.labels) ? issue.labels.map(l => String(l.name || "")).filter(Boolean) : [];
          const hasApproved = labels.includes("state/approved");
          const hasRejected = labels.includes("state/rejected");