Update autolabel because Dependabot sucks

Dependabot runs PRs in a way that makes them appear as a fork, so as a result the pull_request action runs with a read-only token. That breaks label creation, which is super annoying. Switching to pull_request_target runs with a read-write token, but introduces a security risk if the action isn't careful. The action as-is is fine, but addtions need to be careful. Added a comment to that end. actions/labeler#136 https://docs.github.com/en/actions/reference/events-that-trigger-workflows#pull_request_target
Kong · Jun 21, 2021 · 406b178 · 406b178
1 parent eccaf02
commit 406b178
Showing 1 changed file with 4 additions and 1 deletion.
diff --git a/.github/workflows/autolabel.yaml b/.github/workflows/autolabel.yaml
@@ -2,7 +2,10 @@
 name: Pull Request Labeler
 
 on:  # yamllint disable-line rule:truthy
-  pull_request:
+  # note: security risk from this action.  Do not add
+  # actions in here which need a checkout of the repo,
+  # and do not use any caching in here.
+  pull_request_target:
 
 jobs:
   autolabel: