Skip to content

Create adr-labeler workflow#300

Closed
jonchurch wants to merge 3 commits intomasterfrom
jonchurch/adr-label-action
Closed

Create adr-labeler workflow#300
jonchurch wants to merge 3 commits intomasterfrom
jonchurch/adr-label-action

Conversation

@jonchurch
Copy link
Member

@jonchurch jonchurch commented Nov 2, 2024

Related to #296 (comment)

Will label any PR that touches the adr dir w/ ADR label

@jonchurch jonchurch mentioned this pull request Nov 2, 2024
Closed
@bjohansebas
Copy link
Member

bjohansebas commented Nov 2, 2024

I like it, although I'm sure it will give an error like in expressjs/expressjs.com#1553

@jonchurch
Copy link
Member Author

jonchurch commented Nov 3, 2024

Right, default token perms are read on prs

I think it needs this update


permissions:
  pull-requests: write
  issues: write

@bjohansebas
Copy link
Member

bjohansebas commented Nov 3, 2024

I still think it wouldn't work, we tried that in expressjs/expressjs.com#1557 and it didn't work. The only way we believe might work, although we haven't tested it yet, is by creating a token with the permissions as attempted in expressjs/expressjs.com#1642.

@jonchurch
Copy link
Member Author

jonchurch commented Nov 6, 2024

Ah, it's the permission model for forks mucking that up in the linked issue.

See the docs for GH_TOKEN perms, there's a note about this at the bottom.

I'll push an update to allow this to run based on PRs from forks.

@jonchurch
Copy link
Member Author

jonchurch commented Nov 6, 2024
edited
Loading

After looking into this, idk that there's a safe way to do this tbh. We can use pull_request_target to give forks the right permissions, but then they could possibly leak the token w/ those elevated perms. Same w/ the PAT approach, could trigger a workflow run, alter the workflow file in the PR, leak the token.

The original PR works as long as folks aren't opening PRs based on forks, but creating branches here in the repo.

A github bot or github app might be the safest way to do this, can edit the PRs w/o having elevated permissions in a workflow file that can be altered by PRs coming from forks.

TIL: the permission model of GHA is pretty wild

@jonchurch
create adr-labeler workflow
b7bee4e
@jonchurch
alter on: to ensure PRs from forks get upstream permissions
1d41254 
this should allow the default token to have enough perms to label
issues, even if the PR is coming from a fork.
@jonchurch
switch back to pull_request trigger for security, add comment
b8896c2
@jonchurch jonchurch force-pushed the jonchurch/adr-label-action branch from 9aecbfd to b8896c2 Compare November 20, 2024 19:49
@wesleytodd
Copy link
Member

wesleytodd commented Nov 22, 2024
edited
Loading

Can we change the name to RFC? I thought we had discussed that, but maybe with this new automation it is the time to do it?

EDIT: We decided not to make the name change in one of the TC meetings.

@bjohansebas bjohansebas mentioned this pull request Nov 24, 2024
Closed
@bjohansebas
Copy link
Member

bjohansebas commented Jan 17, 2025

due to permission issues, I don't think it's a good idea to add it, it will only create unnecessary noise about the workflow failing

@wesleytodd
Copy link
Member

wesleytodd commented Jan 20, 2025

Yeah, I think I agree. Safety first! @jonchurch want to close?

@bjohansebas
Copy link
Member

bjohansebas commented Apr 20, 2025

I'm going to close it, but feel free to reopen it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jonchurch @bjohansebas @wesleytodd