Commit 2025-06-23 20:05 8eb1f2fe

View on Github →

chore: rewrite maintainer_*.yml to work from forks (#26288) In #25675, the maintainer_merge.yml and maintainer_bors.yml workflows were partially disabled for PRs from forks because workflows triggered by pull_request_review and pull_request_review_comment for PRs from forks do not get access to secrets. Here we add back that functionality as follows:

If the workflow does not have access to secrets, we upload the necessary data to a workflow artifact, and then skip the rest of the steps
(If the workflow does have access to secrets, the behavior should be unchanged.)
We add new downstream workflow maintainer_[merge/bors]_wf_run.yml which triggers on completion of the original workflow via workflow_run (inspired by #25649)
- If the artifact exists, we download and extract the data from it
- then use the data to carry out the steps we were unable to before.
- This is possible because workflow_run workflows have access to secrets. It might be cleaner to have all paths go through the second workflow, however I decided to try to leave as much of the original code alone as possible. Also, changing to always do the main steps in another workflow run would also slow down the labeling in the cases that already work.

Estimated changes

Modified .github/workflows/maintainer_bors.yml

Created .github/workflows/maintainer_bors_wf_run.yml

Modified .github/workflows/maintainer_merge.yml

Created .github/workflows/maintainer_merge_wf_run.yml