[llvm] workflows: Unsplit new-prs (PR #69560)

Tom Stellard via llvm-commits llvm-commits at lists.llvm.org
Mon Oct 30 13:17:58 PDT 2023 

https://github.com/tstellar updated https://github.com/llvm/llvm-project/pull/69560

>From 47bb041f42e4b440b59b807db8b8f509f35f950e Mon Sep 17 00:00:00 2001
From: Tom Stellard <tstellar at redhat.com>
Date: Wed, 18 Oct 2023 21:08:52 -0700
Subject: [PATCH 1/3] workflows: Unsplit new-prs

This is essentially a revert of 91fdb20915696ab955be0baea18b976717e370b9.
It is safe to use the pull_request_target event for new-prs, because it
does not checkout any code from the pull request branch.
---
 .github/workflows/new-prs.yml    | 53 +++++++++-----------------------
 .github/workflows/pr-receive.yml | 34 --------------------
 2 files changed, 15 insertions(+), 72 deletions(-)
 delete mode 100644 .github/workflows/pr-receive.yml

diff --git a/.github/workflows/new-prs.yml b/.github/workflows/new-prs.yml
index c1952ddab83f78b..052ae39654028fe 100644
--- a/.github/workflows/new-prs.yml
+++ b/.github/workflows/new-prs.yml
@@ -1,7 +1,14 @@
 name: "Labelling new pull requests"
 on:
-  workflow_run:
-    workflows: ["PR Receive"]
+  # It's safe to use pull_request_target here, because we aren't checking out
+  # code from the pull request branch.
+  # See https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
+  pull_request_target:
+    types:
+      - opened
+      - reopened
+      - ready_for_review
+      - synchronize
 
 jobs:
   automate-prs-labels:
@@ -9,48 +16,18 @@ jobs:
       contents: read
       pull-requests: write
     runs-on: ubuntu-latest
+    # Ignore PRs with more than 10 commits.  Pull requests with a lot of
+    # commits tend to be accidents usually when someone made a mistake while trying
+    # to rebase.  We want to ignore these pull requests to avoid excessive
+    # notifications.
     if: >
       github.repository == 'llvm/llvm-project' &&
-      github.event.workflow_run.event == 'pull_request_target' &&
-      github.event.workflow_run.conclusion == 'success'
+      github.event.pull_request.draft == false &&
+      github.event.pull_request.commits < 10
     steps:
-      # From: https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
-      # Updated version here: https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#using-data-from-the-triggering-workflow
-      - name: Debug
-        run: |
-          echo "Event: ${{ github.event.workflow_run.event }} Conclusion: ${{ github.event.workflow_run.conclusion }}"
-      - name: 'Download artifact'
-        uses: actions/github-script at v6
-        with:
-          script: |
-            const artifacts = await github.rest.actions.listWorkflowRunArtifacts({
-               owner: context.repo.owner,
-               repo: context.repo.repo,
-               run_id: context.payload.workflow_run.id
-            });
-            const matchArtifact = artifacts.data.artifacts.find((artifact) =>
-              artifact.name === 'pr'
-            );
-            const download = await github.rest.actions.downloadArtifact({
-               owner: context.repo.owner,
-               repo: context.repo.repo,
-               artifact_id: matchArtifact.id,
-               archive_format: 'zip'
-            });
-            const { writeFileSync } = require('node:fs');
-            writeFileSync('${{ github.workspace }}/pr.zip', Buffer.from(download.data));
-
-      - run: unzip pr.zip
-
-      - name: "Get PR Number"
-        id: vars
-        run:
-          echo "pr-number=$(cat NR)" >> "$GITHUB_OUTPUT"
-
       - uses: actions/labeler at v4
         with:
           configuration-path: .github/new-prs-labeler.yml
           # workaround for https://github.com/actions/labeler/issues/112
           sync-labels: ''
           repo-token: ${{ secrets.ISSUE_SUBSCRIBER_TOKEN }}
-          pr-number: ${{ steps.vars.outputs.pr-number }}
diff --git a/.github/workflows/pr-receive.yml b/.github/workflows/pr-receive.yml
deleted file mode 100644
index 13f1a883cf8ff67..000000000000000
--- a/.github/workflows/pr-receive.yml
+++ /dev/null
@@ -1,34 +0,0 @@
-# See https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
-
-name: PR Receive
-on:
-  pull_request_target:
-    types:
-      - opened
-      - reopened
-      - ready_for_review
-      - synchronize
-
-permissions:
-  contents: read
-
-jobs:
-  pr-target:
-    runs-on: ubuntu-latest
-    # Ignore PRs with more than 10 commits.  Pull requests with a lot of
-    # commits tend to be accidents usually when someone made a mistake while trying
-    # to rebase.  We want to ignore these pull requests to avoid excessive
-    # notifications.
-    if: github.repository == 'llvm/llvm-project' &&
-        github.event.pull_request.draft == false &&
-        github.event.pull_request.commits < 10
-    steps:
-      - name: Store PR Information
-        run: |
-          mkdir -p ./pr
-          echo ${{ github.event.number }} > ./pr/NR
-
-      - uses: actions/upload-artifact at v3
-        with:
-          name: pr
-          path: pr/

>From 7af7d12b0515efb92a80c39b7a1a00c21db00326 Mon Sep 17 00:00:00 2001
From: Tom Stellard <tstellar at redhat.com>
Date: Mon, 30 Oct 2023 13:07:38 -0700
Subject: [PATCH 2/3] Add toplevel permissions

---
 .github/workflows/new-prs.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.github/workflows/new-prs.yml b/.github/workflows/new-prs.yml
index 052ae39654028fe..91e5e81b97a6b42 100644
--- a/.github/workflows/new-prs.yml
+++ b/.github/workflows/new-prs.yml
@@ -1,4 +1,8 @@
 name: "Labelling new pull requests"
+
+permissions:
+  contents: read
+
 on:
   # It's safe to use pull_request_target here, because we aren't checking out
   # code from the pull request branch.

>From 5528158e2737ea168c5de35cb1075b9a57ffed0c Mon Sep 17 00:00:00 2001
From: Tom Stellard <tstellar at redhat.com>
Date: Mon, 30 Oct 2023 13:17:36 -0700
Subject: [PATCH 3/3] Move all permissions to top-level

---
 .github/workflows/new-prs.yml | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/.github/workflows/new-prs.yml b/.github/workflows/new-prs.yml
index 91e5e81b97a6b42..51f1d4b6f82f9ff 100644
--- a/.github/workflows/new-prs.yml
+++ b/.github/workflows/new-prs.yml
@@ -2,6 +2,7 @@ name: "Labelling new pull requests"
 
 permissions:
   contents: read
+  pull-requests: write
 
 on:
   # It's safe to use pull_request_target here, because we aren't checking out
@@ -16,9 +17,6 @@ on:
 
 jobs:
   automate-prs-labels:
-    permissions:
-      contents: read
-      pull-requests: write
     runs-on: ubuntu-latest
     # Ignore PRs with more than 10 commits.  Pull requests with a lot of
     # commits tend to be accidents usually when someone made a mistake while trying

More information about the llvm-commits mailing list