lupyuen commented on issue #18359:
URL: https://github.com/apache/nuttx/issues/18359#issuecomment-3870933624

   Thanks @simbit18! Yep eventually we need some GitHub Script (JavaScript), 
here's my plan...
   (1) Verify that PRs can be Labeled using the Two-Step Solution: pull_request 
trigger + workflow_run trigger [(explained 
here)](https://github.com/apache/nuttx/issues/18359#issuecomment-3869143242).
   (2) But the Two-Step Solution won't work with `pr-size-labeler` and 
`actions/labeler`. These actions will work only with pull_request_target
   (3) Which means we need our own GitHub Script (JavaScript) for doing the 
Size Labeling (S / M / L) and Arch Labeling (e.g. `arch: risc-v`)
   (4) Arch Labeling (e.g. `arch: risc-v`) looks straightforward. We just read 
the rules from 
[.github/labeler.yml](https://github.com/apache/nuttx/blob/master/.github/labeler.yml)
 and apply them.
   (5) Size Labeling (S / M / L) is more tricky. I suggest we hardcode with 
`size: unknown` until we find a CLI Tool that can count Lines of Code  
accurately.
   (6) That's assuming that the Size Label isn't actually consumed by any of 
our GitHub Workflows today? I used it for the LLM Bot for PR Review, but I 
stopped the bot because Gemini upgraded their API and it broke our bot.
   (7) Reading all the security docs, I'm pretty convinced that 
pull_request_target is "evil". Even if we can get an exemption from ASF Infra, 
someday someone can easily introduce a security hole, because 
pull_request_target needs to be maintained by a Security Expert.
   (8) Thus I would rather write our own simple GitHub Script (JavaScript) + 
pull_request trigger + workflow_run trigger to do the labeling. And avoid all 
these potential security holes. 


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to