Skip to content

feat: add merge conflict labelling workflow #131

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
kpj2006 merged 1 commit into from
Mar 25, 2026
Merged

feat: add merge conflict labelling workflow #131

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
29 changes: 29 additions & 0 deletions .github/workflows/label-merge-conflicts.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
name: Label Merge Conflicts

on:
push:
pull_request_target:
types: [opened, reopened, synchronize]
Comment on lines +3 to +6
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot Mar 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Remove the unnecessary push trigger.

The push trigger will cause this workflow to run on every commit to any branch, including direct commits that are unrelated to pull requests. Since the eps1lon/actions-label-merge-conflict action is designed to detect and label merge conflicts in PRs, the push trigger adds minimal value while consuming CI resources unnecessarily.

The pull_request_target trigger already handles all relevant PR events (opened, reopened, synchronize).

🔧 Proposed fix 
 on:
-  push:
   pull_request_target:
     types: [opened, reopened, synchronize]
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
on:
push:
pull_request_target:
types: [opened, reopened, synchronize]
on:
pull_request_target:
types: [opened, reopened, synchronize]
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/label-merge-conflicts.yml around lines 3 - 6, Remove the
unnecessary "push" trigger from the workflow so it only runs on PR events;
specifically delete the push key at the top of the YAML and keep the existing
pull_request_target trigger (with types: [opened, reopened, synchronize]) so the
eps1lon/actions-label-merge-conflict action only runs for PR events.


permissions:
pull-requests: write
contents: read

jobs:
label-conflicts:
runs-on: ubuntu-latest
steps:
- name: Label PRs with merge conflicts
uses: eps1lon/actions-label-merge-conflict@v3
with:
dirtyLabel: "PR has merge conflicts"
repoToken: "${{ secrets.GITHUB_TOKEN }}"
Comment on lines +16 to +20
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot Mar 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick | 🔵 Trivial

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Verify the action exists and check for the latest stable version

echo "Fetching repository information for eps1lon/actions-label-merge-conflict..."
gh api repos/eps1lon/actions-label-merge-conflict --jq '{name: .name, default_branch: .default_branch, archived: .archived}'

echo -e "\nFetching available tags/releases..."
gh api repos/eps1lon/actions-label-merge-conflict/tags --jq '.[0:5] | .[] | {name: .name, commit: .commit.sha}'

echo -e "\nChecking for v3 tag specifically..."
gh api repos/eps1lon/actions-label-merge-conflict/git/ref/tags/v3 --jq '{ref: .ref, sha: .object.sha}' 2>&1 || echo "v3 tag not found"

Repository: AOSSIE-Org/SocialShareButton

Length of output: 684

🌐 Web query:

eps1lon/actions-label-merge-conflict GitHub action

💡 Result:

eps1lon/actions-label-merge-conflict is a GitHub Action that automatically adds a specified label to pull requests (PRs) when they have merge conflicts and removes it when conflicts are resolved. It also supports removing another label on conflict and optionally posting comments. Key features: - Adds 'dirtyLabel' (required) to PRs with conflicts; removes it when clean. - Removes 'removeOnDirtyLabel' (optional) when conflicting. - Posts customizable comments: 'commentOnDirty' and 'commentOnClean'. - Optimized to check only relevant PRs affected by pushes. - Uses GitHub's mergeable state; retries up to 'retryMax' (default 5) times. Usage example in .github/workflows/maintenance.yml: name: Maintenance on: push: pull_request_target: types: [synchronize] jobs: main: runs-on: ubuntu-latest steps: - name: check if prs are dirty uses: eps1lon/actions-label-merge-conflict@v3 with: dirtyLabel: 'PR: needs rebase' removeOnDirtyLabel: 'PR: ready to ship' repoToken: ${{ secrets.GITHUB_TOKEN }} commentOnDirty: 'This pull request has conflicts, please resolve those before we can evaluate the pull request.' commentOnClean: 'Conflicts have been resolved. A maintainer will review the pull request shortly.' Repo stats: 61 stars, TypeScript, latest release v3.0.3 (2025-01-06), last push 2026-03-13. Use @v3 for stable, @main for latest. Motivation: Notifies PR authors of conflicts via labels without comment spam, inspired by isaacs/github#224. Other inputs: repoToken (required, use GITHUB_TOKEN), retryMax (default 5), failOnInsufficientPermissions (default true). Primary source: Official GitHub repo.

Citations:

🌐 Web query:

GitHub actions best practices version pinning commit SHA vs version tags security

💡 Result:

For GitHub Actions best practices on version pinning, prioritize pinning to full-length commit SHAs over version tags for maximum security, especially for third-party actions. This provides immutability, preventing supply chain attacks where tags are moved to malicious commits. Key points: - Official GitHub recommendation: "Pin actions to a full-length commit SHA is currently the only way to use an action as an immutable release." This mitigates risks from backdoors, as attackers would need a SHA-1 collision. - SHA vs Tags: Tags (e.g., @v4) can be updated or retagged; SHAs are fixed to exact code. Use major tags (e.g., @v4) as a minimum over @main or @latest, but prefer SHAs. - For trusted actions (GitHub's own, verified creators): Major version tags balance security and updates. - High-risk actions (third-party handling secrets): Always SHA pin. - Enforcement: GitHub policies at repo/org/enterprise level require SHA pinning and block unpinned actions. - Maintenance: Comment SHAs with version (e.g., @sha # v4.1.0), update via Dependabot/Renovate PRs. - How to find SHA: Go to action repo > Releases > tag > copy commit SHA; or run once with tag and check logs. Example: uses: actions/checkout@692973e # v4.1.7 Avoid: @main, @latest, short SHAs.

Citations:

Consider pinning to a commit SHA for enhanced security.

The workflow uses eps1lon/actions-label-merge-conflict@v3, which pins to a major version tag. GitHub's security guidance recommends pinning third-party actions to a specific commit SHA instead, as version tags can be retagged to point to different code. Replace @v3 with the full commit SHA (e.g., @abc1234...) to ensure immutability and prevent unintended changes.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/label-merge-conflicts.yml around lines 16 - 20, Replace
the floating tag on the third-party action usage so it pins to an immutable
commit SHA: locate the uses entry "eps1lon/actions-label-merge-conflict@v3" and
replace the "@v3" suffix with the full commit SHA for that action (for example
"@<commit-sha>"); verify the SHA is from the action's official repo and update
any relevant workflow tests or docs to reflect the pinned SHA.

commentOnDirty: |
⚠️ **This PR has merge conflicts.**

Please resolve the merge conflicts before review.

Your PR will only be reviewed by a maintainer after all conflicts have been resolved.

📺 Watch this video to understand why conflicts occur and how to resolve them:
https://www.youtube.com/watch?v=Sqsz1-o7nXk
Comment on lines +16 to +29
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot Mar 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick | 🔵 Trivial

Consider adding a commentOnClean notification.

While the workflow posts a helpful comment when conflicts are detected, it doesn't notify contributors when conflicts are resolved. Adding a commentOnClean parameter would provide positive feedback and confirm that the PR is ready for review.

✨ Optional enhancement 
       - name: Label PRs with merge conflicts
         uses: eps1lon/actions-label-merge-conflict@v3
         with:
           dirtyLabel: "PR has merge conflicts"
           repoToken: "${{ secrets.GITHUB_TOKEN }}"
           commentOnDirty: |
             ⚠️ **This PR has merge conflicts.**
             
             Please resolve the merge conflicts before review.
             
             Your PR will only be reviewed by a maintainer after all conflicts have been resolved.
             
             📺 Watch this video to understand why conflicts occur and how to resolve them:
             https://www.youtube.com/watch?v=Sqsz1-o7nXk
+          commentOnClean: |
+            ✅ **Merge conflicts have been resolved.**
+            
+            This PR is now ready for review by a maintainer.
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- name: Label PRs with merge conflicts
uses: eps1lon/actions-label-merge-conflict@v3
with:
dirtyLabel: "PR has merge conflicts"
repoToken: "${{ secrets.GITHUB_TOKEN }}"
commentOnDirty: |
⚠️ **This PR has merge conflicts.**
Please resolve the merge conflicts before review.
Your PR will only be reviewed by a maintainer after all conflicts have been resolved.
📺 Watch this video to understand why conflicts occur and how to resolve them:
https://www.youtube.com/watch?v=Sqsz1-o7nXk
- name: Label PRs with merge conflicts
uses: eps1lon/actions-label-merge-conflict@v3
with:
dirtyLabel: "PR has merge conflicts"
repoToken: "${{ secrets.GITHUB_TOKEN }}"
commentOnDirty: |
⚠️ **This PR has merge conflicts.**
Please resolve the merge conflicts before review.
Your PR will only be reviewed by a maintainer after all conflicts have been resolved.
📺 Watch this video to understand why conflicts occur and how to resolve them:
https://www.youtube.com/watch?v=Sqsz1-o7nXk
commentOnClean: |
✅ **Merge conflicts have been resolved.**
This PR is now ready for review by a maintainer.
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/label-merge-conflicts.yml around lines 16 - 29, Add a
commentOnClean parameter to the eps1lon/actions-label-merge-conflict@v3
invocation so contributors receive a positive notification when conflicts are
resolved; update the job that currently sets dirtyLabel and commentOnDirty (the
"Label PRs with merge conflicts" step) to include commentOnClean with a short
confirmation message like "✅ Merge conflicts resolved — this PR is ready for
review." Ensure the new parameter mirrors the formatting of commentOnDirty and
uses repoToken: "${{ secrets.GITHUB_TOKEN }}" as existing.

Loading