[llvm] workflows: Unsplit new-prs (PR #69560)
Aiden Grossman via llvm-commits
llvm-commits at lists.llvm.org
Mon Oct 30 12:55:10 PDT 2023
================
@@ -1,56 +1,33 @@
name: "Labelling new pull requests"
on:
- workflow_run:
- workflows: ["PR Receive"]
+ # It's safe to use pull_request_target here, because we aren't checking out
+ # code from the pull request branch.
+ # See https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
+ pull_request_target:
+ types:
+ - opened
+ - reopened
+ - ready_for_review
+ - synchronize
----------------
boomanaiden154 wrote:
It looks like this workflow is missing a top level `permissions` flag? I believe best practice here would be to set
```
permissions:
contents: read
```
At the top level and then add additional permissions only as needed in the individual jobs.
https://github.com/llvm/llvm-project/pull/69560
More information about the llvm-commits
mailing list