CI workflows

GitHub Actions workflows that automate PR checks, label management, and other CI/CD processes.

All workflow files live under .github/workflows/.

PR approval labels

Two workflows work together to automatically manage approval-related labels on pull requests:

Workflow file	Trigger	Privileges
`pr-review-trigger.yml`	`pull_request_review`	Minimal (no secrets)
`pr-approval-labels.yml`	`pull_request_target`, `workflow_run`	App token for label edits and org/team reads

Labels managed

missing:docs-approval — added when approval from the docs-approvers team is pending; removed once a docs-approver approves.
missing:sig-approval — added when approval from a SIG team is pending (determined by files changed and .github/component-owners.yml); removed once a SIG member approves or when no SIG component is touched.
ready-to-be-merged — added when all required approvals are present; removed otherwise.

Why two workflows?

GitHub’s pull_request_review event has no _target variant. This means a workflow triggered by a review on a fork PR runs in the fork’s context and cannot access the base repository’s secrets.

To work around this limitation, the system uses a workflow_run chaining pattern:

pr-review-trigger runs on every review submission/dismissal. It saves the PR number as an artifact and exits — no secrets needed.
pr-approval-labels is triggered by workflow_run (when the trigger workflow completes). It runs in the base repository context with full access to the GitHub App token, downloads the artifact, and updates labels.

For content changes (opened, reopened, synchronize), the pr-approval-labels workflow is triggered directly via pull_request_target.

sequenceDiagram
    participant R as Reviewer
    participant GH as GitHub
    participant T as pr-review-trigger
    participant L as pr-approval-labels

    R->>GH: Submits review (approve/request changes/dismiss)

    Note over GH: pull_request_review event

    GH->>T: Trigger (fork context, no secrets)
    T->>T: Save PR number as artifact
    T->>GH: Upload artifact, workflow completes

    Note over GH: workflow_run event (completed)

    GH->>L: Trigger (base repo context, with secrets)
    L->>L: Download PR number artifact
    L->>L: Run pr-approval-labels.sh
    L->>GH: Add/remove labels

sequenceDiagram
    participant A as Author
    participant GH as GitHub
    participant L as pr-approval-labels

    A->>GH: Opens/updates PR

    Note over GH: pull_request_target event

    GH->>L: Trigger directly (base repo context, with secrets)
    L->>L: Run pr-approval-labels.sh
    L->>GH: Add/remove labels

Security model

pr-review-trigger: intentionally minimal — no secrets, no privileged permissions. Ignores review.state == "commented" since comments don’t affect approvals.
pr-approval-labels: runs with a GitHub App token (OTELBOT_DOCS_APP_ID / OTELBOT_DOCS_PRIVATE_KEY) that has permissions to read org/team membership and edit PR labels. Uses pull_request_target and workflow_run to ensure it always executes in the trusted base repository context.

Other workflows

The repository includes several other workflows:

Workflow	Purpose
`check-links.yml`	Sharded link checking using htmltest
`check-text.yml`	Textlint terminology checks
`check-i18n.yml`	Localization front matter validation
`check-spelling.yml`	Spell checking
`auto-update-registry.yml`	Auto-update registry package versions
`auto-update-versions.yml`	Auto-update OTel component versions
`build-dev.yml`	Development build and preview
`label-prs.yml`	Auto-label PRs based on file paths
`pr-actions.yml`	PR-related automations
`component-owners.yml`	Assign reviewers based on component ownership

Last modified February 23, 2026: docs(site): initialize documentation for Build section with CI workflows and scripts (#9261) (c1bbaeae)