lupyuen commented on issue #18359: URL: https://github.com/apache/nuttx/issues/18359#issuecomment-3875683572
_Earlier we spoke about removing the PR Labeler pull_request_target trigger. And replacing it by [Two-Step Triggers: pull_request + workflow_run](https://github.com/apache/nuttx/issues/18359#issuecomment-3869143242). Will it work for Labeling PRs?_ Yep it works! Labeling PRs will work OK with the Two-Step Triggers: pull_request + workflow_run. Here's Sample PR labeled by the Two-Step Triggers: https://github.com/lupyuen6/nuttx/pull/7 > <img width="925" height="659" alt="Image" src="https://github.com/user-attachments/assets/66f9b2e1-9604-47d9-b7d5-f11f522d0c1f"; /> Here we see pull_request (labeler.yml) triggering workflow_run (pr_labeler.yml)... https://github.com/lupyuen6/nuttx/actions > <img width="1491" height="818" alt="Image" src="https://github.com/user-attachments/assets/23339371-2859-443e-8f91-97bfe09a5727"; /> How? We modified labeler.yml, and changed the trigger from (unsafe) pull_request_target to (safer) pull_request. The same workflow will compute the Size Label and Arch Labels... https://github.com/lupyuen6/nuttx/blob/master/.github/workflows/labeler.yml <img width="1211" height="899" alt="Image" src="https://github.com/user-attachments/assets/7a9daf41-347f-4e63-8a0d-4d83f948b506"; /> But pull_request trigger isn't allowed to write the PR Labels. So we remember the PR Labels inside a PR Artifact [(because GitHub said so)](https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/). When the First Workflow above ends, it triggers the Second Workflow: workflow_run (inside pr_labeler.yml, I created it). Here we read the PR Labels from the PR Artifact, then we write the PR Labels into the PR... https://github.com/lupyuen6/nuttx/blob/master/.github/workflows/pr_labeler.yml <img width="2043" height="1503" alt="Image" src="https://github.com/user-attachments/assets/56914e67-4cf2-4dd1-861a-6e16f3db9f95"; /> This works because workflow_run has write permission to the PR. _What about the missing bits? Computing the Size Label and Arch Labels?_ labeler.yml won't work with `pr-size-labeler` and `actions/labeler`. So I'll work on their replacements, [from our earlier Action List](https://github.com/apache/nuttx/issues/18359#issuecomment-3870933624)... > (3) We need our own GitHub Script (JavaScript) for doing the Size Labeling (S / M / L) and Arch Labeling (e.g. `arch: risc-v`). > (3a) How do we fetch the added / deleted / modified lines from the PR? We'll call GitHub Script (JavaScript) [`pulls.listFiles.endpoint.merge`](https://github.com/actions/labeler/blob/main/src/changedFiles.ts#L25-L46) > (4) Arch Labeling (e.g. `arch: risc-v`) looks straightforward. We just read the rules from [.github/labeler.yml](https://github.com/apache/nuttx/blob/master/.github/labeler.yml) and apply them. > (5) Size Labeling (S / M / L) is more tricky. I suggest we hardcode with size: unknown until we find a CLI Tool that can count Lines of Code accurately. _Is [Zizmor Security Scanner](https://woodruffw.github.io/zizmor/) happy with all this?_ Sadly Zizmor thinks that workflow_run is insecure (because it doesn't understand our implementation)... https://gist.github.com/lupyuen/c74a0fc50bff07a908be18752ef3bc19 ```text error[dangerous-triggers]: use of fundamentally insecure workflow trigger --> nuttx/.github/workflows/pr_labeler.yml:20:1 20 | / on: 21 | | workflow_run: | |_________________^ workflow_run is almost always used insecurely = note: audit confidence → Medium ``` But [ASF Infra Policy](https://infra.apache.org/github-actions-policy.html) didn't explicitly mention workflow_run. So we should be safe. (The policy explicitly forbids pull_request_target) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
