lupyuen opened a new pull request, #3408: URL: https://github.com/apache/nuttx-apps/pull/3408
## Summary This PR replicates the new PR Labeling Workflow from NuttX Repo to NuttX Apps Repo. For Future Syncing: - Copy from NuttX Repo to NuttX Apps: `.github/workflows/labeler.yml` and `.github/workflows/pr_labeler.yml` - Edit `.github/workflows/labeler.yml` and change `repository: apache/nuttx` to `repository: apache/nuttx-apps` - Don't overwrite `.github/labeler.yml` by NuttX Repo The new workflow reimplements PR Labeling with two triggers: pull_request and workflow_run. We no longer need pull_request_target, which is an unsafe trigger and may introduce security vulnerabilities. The New PR Labeler is explained here: - https://lupyuen.org/articles/prtarget - https://github.com/apache/nuttx/issues/18359 ### Modified Files `.github/workflows/labeler.yml`: Changed the (read-write) pull_request_target trigger to (read-only) pull_request trigger. Compute the Size Label (e.g. Size: XS) and Arch Labels (e.g. Area: Examples). Save the PR Labels into a PR Artifact. `.github/labeler.yml`: Added comment to clarify that NuttX PR Labeler only supports a subset of the `actions/labeler` syntax: `changed-files` and `any-glob-to-any-file`. Note: Don't overwrite this file by NuttX Repo. ### New Files `.github/workflows/pr_labeler.yml`: Contains the workflow_run trigger, which is executed upon completion of the pull_request trigger. Download the PR Labels from the PR Artifact. Write the PR Labels into the PR. ## Impact * _Is a new or modified feature?_ This solution modifies the way PRs are labeled * _Impact on build:_ Builds will work the same. Except that the PR Labeler (labeler.yml) will now trigger "Set Pull Request Labels" (pr_labeler.yml) as a Background Job. PR Labeling now completes in 17 elapsed seconds, spanning 2 jobs. (Previously: 15 elapsed seconds, in 1 job.) `codelytv/pr-size-labeler` used to run inside a Docker Container, which isn't required any more. * _Impact on security:_ This PR improves security by removing pull_request_target, which is an unsafe trigger and may introduce security vulnerabilities. * _Impact on compatibility:_ The Labeling Rules inside .github/labeler.yml will continue to support `changed-files` and `any-glob-to-any-file`. Other types of Labeling Rules from `actions/labeler` will not be supported. * _Impact on documentation:_ I wrote a Detailed Article that explains why pull_request_target is unsafe, and how we reimplemented PR Labeling safely: https://lupyuen.org/articles/prtarget * _Impact on user:_ NO * _Impact on hardware:_ NO * _Anything else:_ We documented all Design Decisions here: https://github.com/apache/nuttx/issues/18359 * When this PR has been Merged: I shall standby 24 x 7 to watch over GitHub CI and ensure that everything works exactly the same as before. (Unless I'm out for Marathon Training: 7 hours / 42 km) ## Testing We confirm that the changes are verified on our own NuttX Apps Repo and work as intended. Here are the Test Cases: https://gist.github.com/lupyuen/a3f75797d49ea7262b9a65dba6eba9e4 ### Arch Labeling - Root CMakeLists.txt / Makefile: Should be labeled correctly as `Area: Build system` and trigger a Complete Build - Example CMakeLists.txt / Makefile: Should be labeled correctly as `Area: Examples` and trigger a Complete Build - CI Files: Should be labeled correctly as `Area: CI` and trigger a Complete Build - System Include `include/system`: Should be labeled correctly as `Area: System` and trigger a Complete Build ### Size Labeling - Size XS, S, M, L, XL should be labeled correctly - Added / modified / removed lines in a Single File: Should be labeled correctly - Added / modified / removed lines in Multiple Files: Should be labeled correctly - Deleted files should be ignored ### Response Time - PR Labeling must complete within 1.5 minutes Why? The Build Workflow begins in the Fetch-Source stage, checking out the Entire Repo and uploading everything in 1.5 minutes, followed by the Select-Builds stage (arch.yml) reading the PR Labels. Before 1.5 minutes, rightfully our workflow_run trigger would have written the PR Labels to the PR. PR Labeling now completes in 17 elapsed seconds, spanning 2 jobs. (Previously: 15 elapsed seconds, in 1 job) ### Zizmor Security Scan - Zizmor Security Scan should not report any Security Issues. However Zizmor flags `workflow_run` as a Potential Security Issue, because it's unable to analyse the code inside the workflow. `workflow_run` is not forbidden in the [ASF GitHub Actions Security Policy](https://infra.apache.org/github-actions-policy.html). Test Logs are here: https://gist.github.com/lupyuen/a3f75797d49ea7262b9a65dba6eba9e4 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
