Add domain/* labels and CODEOWNERS-based domain labeling#13
Merged
Conversation
Define 7 domain/* labels (scanning, findings, integrations, platform, frontend, infra, database) in labels.yml with a teal color palette. Extend pr_labeler.py to fetch CODEOWNERS from the caller repo via the Contents API, parse it with last-match-wins semantics, match changed files to owning teams, and apply/remove domain/* labels accordingly. This avoids depending on mutable PR reviewer state and works across all repos that have a CODEOWNERS file. Repos without CODEOWNERS gracefully skip domain labeling. Unknown team slugs (e.g. eng-leads) are filtered out so only recognized domain labels are applied. 81 tests passing (26 new for CODEOWNERS parsing, matching, domain reconciliation). Jira: PLAT-222 Co-authored-by: Cursor <cursoragent@cursor.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 2 potential issues.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit 5670c71. Configure here.
- Check for internal slashes before appending ** to trailing-slash patterns, so unanchored dirs like "vendor/" match at any depth - Search all three GitHub CODEOWNERS locations (.github/, root, docs/) in priority order instead of only the root Co-authored-by: Cursor <cursoragent@cursor.com>
mikewalters-truffle
approved these changes
Jun 12, 2026
bryanbeverly
added a commit
to trufflesecurity/helm-charts
that referenced
this pull request
Jun 15, 2026
## Summary Add `contents: read` to the PR labeler caller workflow's `permissions` block. When a workflow declares a `permissions:` block, every scope not listed defaults to `none`. This caller declared only `pull-requests: write`, so `contents` was `none`. The labeler's domain-labeling step reads CODEOWNERS via the GitHub Contents API using `GITHUB_TOKEN`; with `contents: none` that read is denied and the script logs "No CODEOWNERS found; skipping domain labeling." As a result the `domain/*` labels added org-wide in trufflesecurity/.github#13 were never applied. Granting `contents: read` restores CODEOWNERS access; no other scope is required. ## Review guidance - **Urgent** (needs same-day review): no - **High complexity** (non-obvious logic, careful review): no - **Key files to focus on**: `.github/workflows/pr-labeler.yml` ## Testing A labeler dry-run backfill on thog logged "No CODEOWNERS found; skipping domain labeling" under the current permissions, despite a valid CODEOWNERS file. `contents: read` is the documented scope for the Contents API read the labeler performs. After merge, `gh workflow run pr-labeler.yml -f pr_number=all -f dry_run=true` will show planned `domain/*` labels. ## Deployment notes Takes effect on the next labeler run (event-driven, or a workflow_dispatch backfill). No application/runtime impact. <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Low Risk** > Single workflow permission scope change with no application or runtime impact; least privilege is preserved aside from the required Contents API read. > > **Overview** > The PR labeler workflow now grants **`contents: read`** alongside `pull-requests: write`. > > Because an explicit `permissions` block leaves unlisted scopes at `none`, the labeler could not read **CODEOWNERS** via the Contents API and skipped **domain** labeling. This restores that read so org-wide `domain/*` labels can be applied again. > > <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit e0f6721. Bugbot is set up for automated code reviews on this repo. Configure [here](https://www.cursor.com/dashboard/bugbot).</sup> <!-- /CURSOR_SUMMARY -->
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
domain/*labels tolabels.yml(scanning, findings, integrations, platform, frontend, infra, database) with a teal color palettepr_labeler.pyto automatically applydomain/*labels by parsing the caller repo's CODEOWNERS file against the PR's changed filespr-labeler.ymlcallers pick this up automaticallyHow it works
CODEOWNERSvia the Contents API (single call, cached per run for backfill)gh pr view --json fileseng-leads)domain/*labels and removes stale onesTest plan
*not crossing/, deep paths)sync-labelsworkflow_dispatch on target repos to propagate label definitionsJira: PLAT-222
Made with Cursor
Note
Low Risk
Automation-only changes to GitHub labeling and label definitions; no product runtime or auth paths.
Overview
Adds seven
domain/*labels to the shared taxonomy and extendspr_labeler.pyso open PRs get those labels from CODEOWNERS, not from reviewer assignment.On each run the labeler loads CODEOWNERS once (Contents API, standard paths), loads the PR’s changed files, resolves owners with last-match-wins per file (GitHub-style path rules), unions team slugs across files, maps them to known domains (
scanning,findings, etc.), and adds missingdomain/*labels while removing stale ones. Catch-all teams likeeng-leadsare ignored; repos without CODEOWNERS skip domain labeling. Existing caller workflows pick this up without changes.Tests cover parsing, pattern matching, domain resolution, and reconcile behavior.
Reviewed by Cursor Bugbot for commit a70cc1a. Bugbot is set up for automated code reviews on this repo. Configure here.