Add autofix reminder and label manager

Remind query authors to validate their changes in autofix before merging.

.github/workflows/autofix-label-manager.yml

@@ -0,0 +1,41 @@
+# This workflow ensures that if the "No Autofix Validation Required" label is
+# added to a pull request, the "Autofix Validation Required" label is removed.
+name: Autofix Label Manager
+
+on:
+  pull_request_target:
+    types: [labeled]
+
+  # Allows manual triggering of the workflow for testing
+  workflow_dispatch:
+
+jobs:
+  check-to-remove-autofix-label:
+    env:
+      GITHUB_REPOSITORY: ${{ github.repository }}
+      PR_NUMBER: ${{ github.event.number }}
+      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      REQUIRES_AUTOFIX_LABEL: "Autofix Validation Required"
+      DOES_NOT_REQUIRE_AUTOFIX_LABEL: "No Autofix Validation Required"
+      LABEL_ADDED: ${{ github.event.label.name }}
+
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check if label "No Autofix Validation Required" is added
+        shell: bash
+        run: |
+          if [ "$LABEL_ADDED" != "$DOES_NOT_REQUIRE_AUTOFIX_LABEL" ]; then
+            echo "Label $DOES_NOT_REQUIRE_AUTOFIX_LABEL was not added."
+            exit 0
+          fi
+
+          echo "Label $DOES_NOT_REQUIRE_AUTOFIX_LABEL was added."
+
+          # Check if Label $REQUIRES_AUTOFIX_LABEL exists and remove it
+          REQUIRES_AUTOFIX_LABEL_EXISTS=$(gh api /repos/$GITHUB_REPOSITORY/issues/$PR_NUMBER/labels | jq --arg label "Autofix Validation Required" '.[] | select(.name==$label) | .name')
+          if [ "$REQUIRES_AUTOFIX_LABEL_EXISTS" == "$REQUIRES_AUTOFIX_LABEL" ]; then
+            gh api -X DELETE "/repos/$GITHUB_REPOSITORY/issues/$PR_NUMBER/labels/$REQUIRES_AUTOFIX_LABEL"
+            echo "$REQUIRES_AUTOFIX_LABEL Label removed."
+          else
+            echo "$REQUIRES_AUTOFIX_LABEL Label does not exist or was already removed."
+          fi

.github/workflows/autofix-reminder.yml

@@ -0,0 +1,56 @@
+# This workflow creates a reminder to query authors to test their queries
+# in autofix.
+name: Autofix reminder
+
+permissions:
+  contents: read
+  pull-requests: write
+  issues: write
+
+on:
+  pull_request:
+    branches:
+      - main
+      - "rc/*"
+    paths:
+      - "**/*.qhelp"
+      - "**/*.ql"
+      - "**/*.qll"
+      # This workflow
+      - ".github/workflows/autofix-reminder.yml"
+
+    workflow_dispatch:
+
+jobs:
+  autofix-reminder:
+    env:
+      GITHUB_REPOSITORY: ${{ github.repository }}
+      PR_NUMBER: ${{ github.event.number }}
+      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      REQUIRES_AUTOFIX_LABEL: "Autofix Validation Required"
+      DOES_NOT_REQUIRE_AUTOFIX_LABEL: "No Autofix Validation Required"
+
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check existing labels
+        id: label_check
+        shell: bash
+        run: |
+          gh api "repos/${GITHUB_REPOSITORY}/issues/${PR_NUMBER}/labels" | jq -r '.[].name' > labels.txt
+
+          if grep -q -x -e "${REQUIRES_AUTOFIX_LABEL}" labels.txt || grep -q -x -e "${DOES_NOT_REQUIRE_AUTOFIX_LABEL}" labels.txt; then
+            echo "Stopping workflow due to label presence."
+            echo "should_continue=false" >> $GITHUB_OUTPUT
+          else
+            echo "Add $REQUIRES_AUTOFIX_LABEL label."
+            echo "should_continue=true" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Add label
+        if: steps.label_check.outputs.should_continue == 'true'
+        run: |
+          gh api "repos/${GITHUB_REPOSITORY}/issues/${PR_NUMBER}/labels" -X POST -f "labels[]=$REQUIRES_AUTOFIX_LABEL"
+
+      - name: Comment on PR
+        if: steps.label_check.outputs.should_continue == 'true'
+        run: gh api "repos/${GITHUB_REPOSITORY}/issues/${PR_NUMBER}/comments" -X POST --field body="This pull request updates '.ql', '.qll', or '.qhelp' files, Please validate that autofixes generated based on these changes are valid. See [the documentation](https://github.com/github/codeql-team/blob/main/docs/best-practices/validating-autofix-for-query-changes.md) (internal access required). If autofix validation is not required, please add the label '${DOES_NOT_REQUIRE_AUTOFIX_LABEL}' to this pull request."