lupyuen opened a new pull request, #18404: URL: https://github.com/apache/nuttx/pull/18404
## Summary ASF Infrastructure Team has flagged a GitHub Actions workflow policy violation, inside our PR Labeling. We must remove pull_request_target before 6 Apr 2026, or ASF Infra will turn off all GitHub Builds: https://github.com/apache/nuttx/issues/18359 This PR reimplements the PR Labeling with two triggers: pull_request and workflow_run. We no longer need pull_request_target, which is an unsafe trigger and may introduce security vulnerabilities. GitHub Actions `codelytv/pr-size-labeler` and `actions/labeler` don't work with the pull_request trigger, so we replaced them with our own code. The implementation is explained here: https://github.com/apache/nuttx/issues/18359 ### Modified Files `.github/workflows/labeler.yml`: Changed the (read-write) pull_request_target trigger to (read-only) pull_request trigger. Compute the Size Label (e.g. Size: XS) and Arch Labels (e.g. Arch: arm). Save the PR Labels into a PR Artifact. `.github/labeler.yml`: Added comment to clarify that NuttX PR Labeler only supports a subset of the `actions/labeler` syntax: `changed-files` and `any-glob-to-any-file` ### New Files `.github/workflows/pr_labeler.yml`: Contains the workflow_run trigger, which is executed upon completion of the pull_request trigger. Download the PR Labels from the PR Artifact. Write the PR Labels into the PR. ## Impact * _Is a new or modified feature?_ This solution modifies the way PRs are labeled * _Impact on build:_ Builds will work the same. Except that the PR Labeler (labeler.yml) will now trigger "Set Pull Request Labels" (pr_labeler.yml) as a Background Job. PR Labeling now completes in 16 elapsed seconds, spanning 2 jobs. (Previously: 35 elapsed seconds, in 1 job.) `codelytv/pr-size-labeler` used to run inside a Docker Container, which isn't required any more. * _Impact on security:_ This PR improves security by removing pull_request_target, which is an unsafe trigger and may introduce security vulnerabilities. * _Impact on compatibility:_ The Labeling Rules inside .github/labeler.yml will continue to support `changed-files` and `any-glob-to-any-file`. Other types of Labeling Rules from `actions/labeler` will not be supported. * _Impact on documentation:_ I shall write a Detailed Article that explains why pull_request_target is unsafe, and how we reimplemented PR Labeling safely. * _Impact on user:_ NO * _Impact on hardware:_ NO * _Anything else:_ We documented all Design Decisions here: https://github.com/apache/nuttx/issues/18359 * When this PR has been Merged: I shall standby 24 x 7 to watch over GitHub CI and ensure that everything works exactly the same as before. (Unless I'm out for Marathon Training: 7 hours / 42 km) * Later the same changes shall be ported to the NuttX Apps repo ## Testing We confirm that the changes are verified on our own NuttX Repo and work as intended. Here are the Test Cases: https://gist.github.com/lupyuen/e160cc0a57c72ec95432ee148237c5f0 ### Arch Labeling - Simple PR should be labeled correctly and trigger a Simple Build: Arm32-only, Arm64-only, RISC-V-only, Arch + Board, Arch + Board + Doc, ... - Complex PR should be labeled correctly and trigger a Complete Build: Drivers, Include, Arm32 + Arm64, Arm32 + RISC-V, ... - Doc PR should be labeled correctly and trigger a Doc Build only ### Size Labeling - Size XS, S, M, L, XL should be labeled correctly - Added / modified / removed lines in a Single File: Should be labeled correctly - Added / modified / removed lines in Multiple Files: Should be labeled correctly - Deleted files should be ignored ### Response Time - PR Labeling must complete within 1.5 minutes Why? The Build Workflow begins in the Fetch-Source stage, checking out the Entire Repo and uploading everything in 1.5 minutes, followed by the Select-Builds stage (arch.yml) reading the PR Labels. Before 1.5 minutes, rightfully our workflow_run trigger would have written the PR Labels to the PR. PR Labeling now completes in 16 elapsed seconds, spanning 2 jobs. (Previously: 35 elapsed seconds, in 1 job) ### Zizmor Security Scan - Zizmor Security Scan should not report any Security Issues. However Zizmor flags `workflow_run` as a Potential Security Issue, because it's unable to analyse the code inside the workflow. `workflow_run` is not forbidden in the [ASF GitHub Actions Security Policy](https://infra.apache.org/github-actions-policy.html). Test Logs are here: https://gist.github.com/lupyuen/e160cc0a57c72ec95432ee148237c5f0 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
