From 5f065815728cf32495271508052f601ebe854726 Mon Sep 17 00:00:00 2001 From: Weimin Yu Date: Mon, 18 May 2026 15:27:22 -0400 Subject: [PATCH] Add a reminder to run update_dependency to PR authors (#3050) After the public-access removal from GCS buckets, the Kokoro tests can no longer use our private repo for resolve dependencies. And breakage is discovered only during build. This PR lets Github to create review comment, which triggers on PRs that contain *.lockfile changes and asks the PR author to confirm that the update_dependency script has been executed. --- .../workflows/update-dependency-reminder.yml | 48 +++++++++++++++++++ 1 file changed, 48 insertions(+) create mode 100644 .github/workflows/update-dependency-reminder.yml diff --git a/.github/workflows/update-dependency-reminder.yml b/.github/workflows/update-dependency-reminder.yml new file mode 100644 index 000000000..456e0f5c1 --- /dev/null +++ b/.github/workflows/update-dependency-reminder.yml @@ -0,0 +1,48 @@ +name: Request Lockfile Review + +on: + pull_request_target: + branches: ["master"] + types: [opened, synchronize, reopened] + +jobs: + review-lockfiles: + runs-on: ubuntu-latest + permissions: + pull-requests: write + + steps: + # We intentionally do NOT use actions/checkout here. + # This keeps the environment completely secure and satisfies CodeQL. + + - name: Check files via GitHub API + id: check_files + uses: actions/github-script@v7 + with: + script: | + const prNumber = context.payload.pull_request.number; + + // Get the list of files in the PR directly from the API + const { data: files } = await github.rest.pulls.listFiles({ + owner: context.repo.owner, + repo: context.repo.repo, + pull_number: prNumber, + per_page: 100 + }); + + // Look for any file **ending** in gradle.lockfile + const hasLockfile = files.some(file => file.filename.endsWith('gradle.lockfile')); + core.setOutput('has_lockfile', hasLockfile ? 'true' : 'false'); + + - name: Post unresolved review comment + if: steps.check_files.outputs.has_lockfile == 'true' + uses: actions/github-script@v7 + with: + script: | + await github.rest.pulls.createReview({ + owner: context.repo.owner, + repo: context.repo.repo, + pull_number: context.payload.pull_request.number, + event: 'REQUEST_CHANGES', + body: `### ⚠️ Attention Required: Lockfile Detected\nThis pull request contains modifications to one or more \`*.lockfile\` files. Please confirm that you have run update_dependency.sh to push new dependencies to the private repo.\n\n_Someone with Admin role must manually dismiss this review before merging._` + });