lupyuen commented on issue #18359: URL: https://github.com/apache/nuttx/issues/18359#issuecomment-3870933624
Thanks @simbit18! Yep eventually we need some GitHub Script (JavaScript), here's my plan... (1) Verify that PRs can be Labeled using the Two-Step Solution: pull_request trigger + workflow_run trigger [(explained here)](https://github.com/apache/nuttx/issues/18359#issuecomment-3869143242). (2) But the Two-Step Solution won't work with `pr-size-labeler` and `actions/labeler`. These actions will work only with pull_request_target (3) Which means we need our own GitHub Script (JavaScript) for doing the Size Labeling (S / M / L) and Arch Labeling (e.g. `arch: risc-v`) (4) Arch Labeling (e.g. `arch: risc-v`) looks straightforward. We just read the rules from [.github/labeler.yml](https://github.com/apache/nuttx/blob/master/.github/labeler.yml) and apply them. (5) Size Labeling (S / M / L) is more tricky. I suggest we hardcode with `size: unknown` until we find a CLI Tool that can count Lines of Code accurately. (6) That's assuming that the Size Label isn't actually consumed by any of our GitHub Workflows today? I used it for the LLM Bot for PR Review, but I stopped the bot because Gemini upgraded their API and it broke our bot. (7) Reading all the security docs, I'm pretty convinced that pull_request_target is "evil". Even if we can get an exemption from ASF Infra, someday someone can easily introduce a security hole, because pull_request_target needs to be maintained by a Security Expert. (8) Thus I would rather write our own simple GitHub Script (JavaScript) + pull_request trigger + workflow_run trigger to do the labeling. And avoid all these potential security holes. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
