-
Notifications
You must be signed in to change notification settings - Fork 397
67 lines (61 loc) · 2.52 KB
/
label_pr_on_title.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
name: Label PR based on title
# PROCESS
#
# 1. Fetch PR details previously saved from untrusted location
# 2. Parse details for safety
# 3. Label PR based on semantic title (e.g., area, change type)
# USAGE
#
# NOTE: meant to be used with ./.github/workflows/record_pr.yml
#
# Security Note:
#
# This workflow depends on "Record PR" workflow that runs in an untrusted location (forks) instead of `pull_request_target`.
# This enforces zero trust where "Record PR" workflow always runs on fork with zero permissions on GH_TOKEN.
# When "Record PR" completes, this workflow runs in our repository with the appropriate permissions and sanitize inputs.
#
# Coupled with "Approve GitHub Action to run on forks", we have confidence no privilege can be escalated,
# since any malicious change would need to be approved, and upon social engineering, it'll have zero permissions.
on:
workflow_run:
workflows: ["Record PR details"]
types:
- completed
permissions:
contents: read
jobs:
get_pr_details:
permissions:
actions: read # download PR artifact
contents: read # checkout code
# Guardrails to only ever run if PR recording workflow was indeed
# run in a PR event and ran successfully
if: ${{ github.event.workflow_run.conclusion == 'success' }}
uses: ./.github/workflows/reusable_export_pr_details.yml
with:
record_pr_workflow_id: ${{ github.event.workflow_run.id }}
workflow_origin: ${{ github.event.repository.full_name }}
secrets:
token: ${{ secrets.GITHUB_TOKEN }}
label_pr:
needs: get_pr_details
runs-on: ubuntu-latest
permissions:
pull-requests: write # label respective PR
steps:
- name: Checkout repository
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: "Label PR based on title"
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
env:
PR_NUMBER: ${{ needs.get_pr_details.outputs.prNumber }}
PR_TITLE: ${{ needs.get_pr_details.outputs.prTitle }}
PR_LABELS: ${{ needs.get_pr_details.outputs.prLabels }}
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
# This safely runs in our base repo, not on fork
# thus allowing us to provide a write access token to label based on PR title
# and label PR based on semantic title accordingly
script: |
const script = require('.github/scripts/label_pr_based_on_title.js')
await script({github, context, core})