From 3917554dca8411fcc588d34096cfd3fe599e8b1e Mon Sep 17 00:00:00 2001
From: Matthew Watkins <mwatkins@linuxfoundation.org>
Date: Thu, 19 Mar 2026 15:01:08 +0000
Subject: [PATCH] CI: Migrate release-drafter to v7 split

Release-drafter v7 removed the disable-releaser
and disable-autolabeler inputs, replacing them
with dedicated sub-actions. This commit:

- Splits the combined workflow into two files:
  release-drafter.yaml (push-only, drafter)
  and autolabeler.yaml (PR events, autolabeler)
- Updates to release-drafter v7.1.0
- Updates harden-runner to v2.16.0
- Removes the per-repo release-drafter config
  (falls back to org-level .github repo config)
- Removes deprecated env GITHUB_TOKEN usage
- Removes debug concurrency group step

Co-authored-by: Claude <claude@anthropic.com>
Signed-off-by: Matthew Watkins <mwatkins@linuxfoundation.org>
---
 .github/release-drafter.yml            | 68 --------------------------
 .github/workflows/autolabeler.yaml     | 59 ++++++++++++++++++++++
 .github/workflows/release-drafter.yaml | 38 ++------------
 3 files changed, 63 insertions(+), 102 deletions(-)
 delete mode 100644 .github/release-drafter.yml
 create mode 100644 .github/workflows/autolabeler.yaml

diff --git a/.github/release-drafter.yml b/.github/release-drafter.yml
deleted file mode 100644
index 9a52d0e..0000000
--- a/.github/release-drafter.yml
+++ /dev/null
@@ -1,68 +0,0 @@
----
-# SPDX-FileCopyrightText: 2025 The Linux Foundation
-# SPDX-License-Identifier: Apache-2.0
-
-name-template: "v$RESOLVED_VERSION"
-tag-template: "v$RESOLVED_VERSION"
-change-template: "- $TITLE @$AUTHOR (#$NUMBER)"
-sort-direction: ascending
-categories:
-  - title: ":boom: Breaking Change :boom:"
-    labels:
-      - "breaking-change"
-  - title: ":zap: Enhancements :zap:"
-    labels:
-      - "enhancement"
-  - title: ":sparkles: New Features :sparkles:"
-    labels:
-      - "feature"
-  - title: ":bug: Bug Fixes :bug:"
-    labels:
-      - "fix"
-      - "bugfix"
-      - "bug"
-  - title: ":wrench: Maintenance :wrench:"
-    labels:
-      - "chore"
-      - "documentation"
-      - "maintenance"
-      - "repo"
-      - "dependencies"
-      - "github_actions"
-      - "refactor"
-  - title: ":mortar_board: Code Quality :mortar_board:"
-    labels:
-      - "code-quality"
-      - "CI"
-      - "test"
-autolabeler:
-  - label: "breaking-change"
-    title:
-      - "/!:/i"
-  - label: "feature"
-    title:
-      - "/feat:/i"
-  - label: "bug"
-    title:
-      - "/fix:/i"
-  - label: "refactor"
-    title:
-      - "/refactor:/i"
-  - label: "code-quality"
-    title:
-      - "/test:/i"
-  - label: "CI"
-    title:
-      - "/ci:/i"
-  - label: "chore"
-    title:
-      - "/chore:/i"
-  - label: "documentation"
-    title:
-      - "/docs:/i"
-# yamllint disable rule:line-length
-template: |
-  $CHANGES
-
-  ## Links
-  - [Submit bugs/feature requests](https://github.com/$OWNER/$REPOSITORY/issues)
diff --git a/.github/workflows/autolabeler.yaml b/.github/workflows/autolabeler.yaml
new file mode 100644
index 0000000..2c77470
--- /dev/null
+++ b/.github/workflows/autolabeler.yaml
@@ -0,0 +1,59 @@
+---
+# SPDX-FileCopyrightText: 2025 The Linux Foundation
+# SPDX-License-Identifier: Apache-2.0
+
+name: 'Autolabeler'
+
+# yamllint disable-line rule:truthy
+on:
+  # pull_request is required for autolabeler
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
+  # pull_request_target is required for autolabeler on PRs from forks
+  pull_request_target:
+    types:
+      - opened
+      - synchronize
+      - reopened
+
+permissions: {}
+
+concurrency:
+  # yamllint disable-line rule:line-length
+  group: ${{ format('al-{0}-pr-{1}', github.event_name, github.event.pull_request.number) }}
+  cancel-in-progress: true
+
+jobs:
+  autolabel:
+    name: 'Autolabel PR'
+    # Run on pull_request_target for forks, or pull_request for same-repo PRs
+    # This prevents duplicate runs for same-repo PRs
+    # yamllint disable rule:line-length
+    if: >
+      (github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.fork) ||
+      (github.event_name == 'pull_request' && !github.event.pull_request.head.repo.fork)
+    # yamllint enable rule:line-length
+    # SECURITY: pull_request_target with write permissions is safe here because:
+    # 1. This workflow does NOT checkout any code from the PR
+    # 2. The workflow code itself runs from the base branch (not the fork)
+    # 3. release-drafter only makes GitHub API calls (no code execution)
+    # 4. pull_request_target is needed ONLY for autolabeling fork PRs
+    permissions:
+      # write permission is required for autolabeler
+      pull-requests: write
+      # read is sufficient; autolabeler does not create releases
+      contents: read
+    runs-on: 'ubuntu-latest'
+    timeout-minutes: 3
+    steps:
+      # Harden the runner used by this workflow
+      # yamllint disable-line rule:line-length
+      - uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: 'audit'
+
+      # yamllint disable-line rule:line-length
+      - uses: release-drafter/release-drafter/autolabeler@44a942e465867c7465b76aa808ddca6e0acae5da # v7.1.0
diff --git a/.github/workflows/release-drafter.yaml b/.github/workflows/release-drafter.yaml
index ceacf31..1bbe32f 100644
--- a/.github/workflows/release-drafter.yaml
+++ b/.github/workflows/release-drafter.yaml
@@ -9,24 +9,11 @@ on:
   push:
     branches:
       - main
-  # pull_request is required for autolabeler
-  pull_request:
-    types:
-      - opened
-      - synchronize
-      - reopened
-  # pull_request_target is required for autolabeler on PRs from forks
-  pull_request_target:
-    types:
-      - opened
-      - synchronize
-      - reopened
 
 permissions: {}
 
 concurrency:
-  # yamllint disable-line rule:line-length
-  group: "rd-${{ github.event_name }}-${{ github.event.pull_request.number || github.ref }}"
+  group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
 jobs:
@@ -35,31 +22,14 @@ jobs:
     permissions:
       # write permission is required to create releases
       contents: write
-      # write permission is required for autolabeler
-      pull-requests: write
     runs-on: 'ubuntu-latest'
     timeout-minutes: 3
     steps:
       # Harden the runner used by this workflow
       # yamllint disable-line rule:line-length
-      - uses: step-security/harden-runner@58077d3c7e43986b6b15fba718e8ea69e387dfcc # v2.15.1
+      - uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
         with:
           egress-policy: 'audit'
 
-      - name: 'Show concurrency group'
-        shell: bash
-        # yamllint disable rule:line-length
-        run: |
-          # Show concurrency group
-          {
-            echo '## Release Drafter'
-            echo "Concurrency group: rd-${{ github.event_name }}-${{ github.event.pull_request.number || github.ref }}"
-          } >> "$GITHUB_STEP_SUMMARY"
-          echo "Concurrency group: rd-${{ github.event_name }}-${{ github.event.pull_request.number || github.ref }}"
-        # yamllint enable rule:line-length
-
-      - name: 'Update draft release'
-        # yamllint disable-line rule:line-length
-        uses: release-drafter/release-drafter@6a93d829887aa2e0748befe2e808c66c0ec6e4c7 # v6.4.0
-        env:
-          GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
+      # yamllint disable-line rule:line-length
+      - uses: release-drafter/release-drafter@44a942e465867c7465b76aa808ddca6e0acae5da # v7.1.0