From 8ab44fec3709c629e54216b126ddc7dc8a28bc4d Mon Sep 17 00:00:00 2001
From: Wolfgang Walther <walther@technowledgy.de>
Date: Thu, 19 Jun 2025 11:54:47 +0200
Subject: [PATCH] workflows/labels: fix pull_request event trigger

When the job is run with the pull_request trigger for validation of
changes to the workflow itself, we need to run everything that can be
run without privileges - but not more.

We tried to do so for the three actions/labeler steps, but failed to set
up the condition correctly. We also need to exit early for our
JavaScript based labeler, just before making the mutation requests.
---
 .github/workflows/labels.yml | 17 +++++++++++------
 1 file changed, 11 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/labels.yml b/.github/workflows/labels.yml
index 2a632be28b57..0ca429421891 100644
--- a/.github/workflows/labels.yml
+++ b/.github/workflows/labels.yml
@@ -212,6 +212,11 @@ jobs:
                   if (approvals.size > 0) after.push(`12.approvals: ${approvals.size > 2 ? '3+' : approvals.size}`)
                   if (Array.from(maintainers).some(m => approvals.has(m))) after.push('12.approved-by: package-maintainer')
 
+                  if (context.eventName == 'pull_request') {
+                    core.info('Skipping labeling on a pull_request event (no privileges).')
+                    return
+                  }
+
                   // Remove the ones not needed anymore
                   await Promise.all(
                     before.filter(name => !after.includes(name))
@@ -247,12 +252,12 @@ jobs:
         name: Labels from touched files
         if: |
           github.event_name == 'pull_request_target' &&
-          github.event.pull_request.head.repo.owner.login != 'NixOS' || !(
+          (github.event.pull_request.head.repo.owner.login != 'NixOS' || !(
             github.head_ref == 'haskell-updates' ||
             github.head_ref == 'python-updates' ||
             github.head_ref == 'staging-next' ||
             startsWith(github.head_ref, 'staging-next-')
-          )
+          ))
         with:
           repo-token: ${{ secrets.GITHUB_TOKEN }}
           configuration-path: .github/labeler.yml # default
@@ -262,12 +267,12 @@ jobs:
         name: Labels from touched files (no sync)
         if: |
           github.event_name == 'pull_request_target' &&
-          github.event.pull_request.head.repo.owner.login != 'NixOS' || !(
+          (github.event.pull_request.head.repo.owner.login != 'NixOS' || !(
             github.head_ref == 'haskell-updates' ||
             github.head_ref == 'python-updates' ||
             github.head_ref == 'staging-next' ||
             startsWith(github.head_ref, 'staging-next-')
-          )
+          ))
         with:
           repo-token: ${{ secrets.GITHUB_TOKEN }}
           configuration-path: .github/labeler-no-sync.yml
@@ -280,12 +285,12 @@ jobs:
         # the backport labels.
         if: |
           github.event_name == 'pull_request_target' &&
-          github.event.pull_request.head.repo.owner.login == 'NixOS' && (
+          (github.event.pull_request.head.repo.owner.login == 'NixOS' && (
             github.head_ref == 'haskell-updates' ||
             github.head_ref == 'python-updates' ||
             github.head_ref == 'staging-next' ||
             startsWith(github.head_ref, 'staging-next-')
-          )
+          ))
         with:
           repo-token: ${{ secrets.GITHUB_TOKEN }}
           configuration-path: .github/labeler-development-branches.yml