Add PR triage workflow

.github/workflows/pr-reviewed-trigger.yml

@@ -0,0 +1,42 @@
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: Pull Request Reviewed
+
+on:
+  pull_request_review:
+    types:
+      - submitted
+
+jobs:
+  # This job is a workaround for the fact that pull_request_review lacks necessary permissions to modify PRs.
+  # Also, there is no pull_request_target analog to pull_request_review. The approach taken here is taken from
+  # https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/.
+  pr-review-trigger:
+    name: Reviewed
+    runs-on: ubuntu-latest
+    steps:
+      - name: Env
+        run: printenv
+        env:
+          GITHUB_CONTEXT: ${{ toJson(github) }}
+      - name: Capture PR Number
+        run:
+          echo ${{ github.event.pull_request.number }} >> pr-number.txt
+      - name: Archive Event
+        uses: actions/upload-artifact@v4
+        with:
+          name: pr-number.txt
+          path: pr-number.txt

.github/workflows/pr-reviewed.yml

@@ -0,0 +1,53 @@
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: Remove Triage Label
+
+on:
+  workflow_run:
+    workflows: [Pull Request Reviewed]
+    types:
+      - completed
+
+jobs:
+  # This job runs with elevated permissions and the ability to modify pull requests. The steps taken here
+  # should be limited to updating labels and adding comments to PRs. This approach is taken from
+  # https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/.
+  remove-triage:
+    if: ${{ github.event.workflow_run.conclusion == 'success' }}
+    runs-on: ubuntu-latest
+    steps:
+      - name: Env
+        run: printenv
+        env:
+          GITHUB_CONTEXT: ${{ toJson(github) }}
+      - uses: actions/download-artifact@v4
+        with:
+          github-token: ${{ github.token }}
+          run-id: ${{ github.event.workflow_run.id }}
+          name: pr-number.txt
+      - name: Remove label
+        uses: actions/github-script@v7
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            var fs = require('fs');
+            var pr_number = Number(fs.readFileSync('./pr-number.txt'));
+            await github.rest.issues.removeLabel({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: pr_number,
+              name: 'triage'
+            });

.github/workflows/pr-update.yml

@@ -25,9 +25,11 @@ on:
   # * https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/
   pull_request_target:
     types: [opened, reopened, synchronize]
+    branches:
+      - trunk
 
 jobs:
-  label_PRs:
+  add-labeler-labels:
     name: Labeler
     permissions:
       contents: read
@@ -45,3 +47,41 @@ jobs:
         PR_NUM: ${{github.event.number}}
       run: |
         ./.github/scripts/label_small.sh
+
+  add-triage-label:
+    if: github.event.action == 'opened' || github.event.action == 'reopened'
+    name: Add triage label
+    runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
+    steps:
+      - name: Env
+        run: printenv
+        env:
+          GITHUB_CONTEXT: ${{ toJson(github) }}
+      - name: Check PR Author  # The step sets output "exitcode" to 0 iff the PR is from a committer.
+        id: check-author
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          PR_USER: ${{ github.event.pull_request.user.login }}
+        run: |
+          set +e
+          echo "Checking apache org members for PR author $PR_USER"
+          gh api --verbose \
+            -H "Accept: application/vnd.github+json" \
+            -H "X-GitHub-Api-Version: 2022-11-28" \
+            "/orgs/apache/members/$PR_USER"
+          exitcode=$?
+          if [ $exitcode -ne 0 ]; then
+            echo "Did not find contributor for $PR_USER"
+            echo "contributor=0" >> $GITHUB_OUTPUT
+          else
+            echo "Found contributor $FOUND_CONTRIBUTOR that matches PR author $PR_USER"
+            echo "contributor=1" >> $GITHUB_OUTPUT
+          fi
+      - if: steps.check-author.outputs.contributor == 0
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GH_REPO: ${{ github.repository }}
+          NUMBER: ${{ github.event.pull_request.number }}
+        run: gh pr edit "$NUMBER" --add-label triage

.github/workflows/stale.yml

@@ -35,6 +35,22 @@ permissions:
   pull-requests: write
 
 jobs:
+  needs-attention:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/stale@v9
+        with:
+          debug-only: ${{ inputs.dryRun || false }}
+          operations-per-run: ${{ inputs.operationsPerRun || 500 }}
+          days-before-stale: 7
+          days-before-close: -1
+          ignore-pr-updates: true
+          only-pr-labels: 'triage'
+          stale-pr-label: 'needs-attention'
+          stale-pr-message: |
+            A label of 'needs-attention' was automatically added to this PR in order to raise the
+            attention of the committers. Once this issue has been triaged, the `triage` label
+            should be removed to prevent this automation from happening again.
   stale:
     runs-on: ubuntu-latest
     steps: