Shared, reusable GitHub Actions workflows for
php-testo repositories.
Plugin and package repositories under php-testo are read-only mirrors.
Pull requests must be opened against the upstream repository. This reusable
workflow comments on any incoming PR and closes it automatically.
Add the following file to the mirror repository as
.github/workflows/close-prs.yml:
name: Close PRs
on:
pull_request_target:
types: [opened, reopened]
permissions:
pull-requests: write
jobs:
close:
uses: php-testo/gh-actions/.github/workflows/close-foreign-prs.yml@v1
with:
upstream-url: https://github.com/php-testo/testo
# message: | # optional custom body; {upstream} is substituted
# Custom text. Open your PR at {upstream}.A ready-to-copy file lives in examples/close-prs.yml.
| Input | Required | Description |
|---|---|---|
upstream-url |
yes | URL of the upstream repository where PRs should be opened. |
message |
no | Custom comment body. {upstream} is replaced with upstream-url. |
- It runs the trusted code. The caller uses
pull_request_target, so GitHub executes the workflow from the mirror's default branch, not from the PR branch. A contributor cannot edit the workflow in their PR to run arbitrary code with a privileged token. - No checkout of PR code. This workflow never checks out or executes the pull request's contents.
- No PAT, no secrets. It uses only the ephemeral
GITHUB_TOKENscoped topull-requests: write. There is no long-lived credential to leak or reuse. - Runs without manual approval. Because the trusted base-branch workflow is used, no "Approve and run" gate appears — even for first-time contributors.
Reference the workflow by a moving major tag (@v1) or pin to a commit SHA for
stricter supply-chain guarantees.