[llvm] workflows: Unsplit new-prs (PR #69560)
Tom Stellard via llvm-commits
llvm-commits at lists.llvm.org
Mon Oct 30 13:21:12 PDT 2023
================
@@ -1,56 +1,37 @@
name: "Labelling new pull requests"
+
+permissions:
+ contents: read
+
on:
- workflow_run:
- workflows: ["PR Receive"]
+ # It's safe to use pull_request_target here, because we aren't checking out
+ # code from the pull request branch.
+ # See https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
+ pull_request_target:
+ types:
+ - opened
+ - reopened
+ - ready_for_review
+ - synchronize
jobs:
automate-prs-labels:
permissions:
contents: read
----------------
tstellar wrote:
I just moved all the permissions to the top-level since there is only one job in this file. It's unlikely that another job will be added to this file, so this probably won't matter, but I was wondering if it would make sense to have a policy where we only add the write permissions on the job level.
https://github.com/llvm/llvm-project/pull/69560
More information about the llvm-commits
mailing list