Fix "label-pr" workflow for PR from forks (#297)

Tested it manually (by using `pull_request`): https://github.com/SharezoneApp/sharezone-app/actions/runs/3136587111/jobs/5093688752 The workflow is not running for this PR because it's not on our `main` branch. It will be used when this PR has been merged. Closes #294
SharezoneApp · Sep 28, 2022 · c31021f · c31021f
1 parent ea6d6ab
commit c31021f
Show file tree

Hide file tree

Showing 2 changed files with 44 additions and 16 deletions.
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -23,22 +23,6 @@ env:
 
 # A workflow run is made up of one or more jobs that can run sequentially or in parallel
 jobs:
-  # This workflow applies labels to pull requests based on the paths that are
-  # modified in the pull request.
-  #
-  # Edit `.github/labeler.yml` to configure labels.
-  #
-  # For more information, see: https://github.com/actions/labeler
-  label-pr:
-    runs-on: ubuntu-latest
-    timeout-minutes: 10
-    steps:
-    - uses: actions/checkout@v3
-    - name: Label PR
-      uses: actions/labeler@v3
-      with:
-        repo-token: "${{ secrets.GITHUB_TOKEN }}"
-
   analyze:
     runs-on: ubuntu-latest
     # In draft PRs we might use TODOs temporarily.

diff --git a/.github/workflows/pull_request_label.yml b/.github/workflows/pull_request_label.yml
@@ -0,0 +1,44 @@
+# Copyright (c) 2022 Sharezone UG (haftungsbeschränkt)
+# Licensed under the EUPL-1.2-or-later.
+#
+# You may obtain a copy of the Licence at:
+# https://joinup.ec.europa.eu/software/page/eupl
+#
+# SPDX-License-Identifier: EUPL-1.2
+
+name: pull-request-labeler
+
+on:
+  # Trigger "pull_request" would not work for pull request from a fork because
+  # the secrets would be not accessible. "pull_request_target" uses the context
+  # from the base branch which allows to use secrets for pull requests from a
+  # fork.
+  pull_request_target:
+    types:
+      - opened
+      - synchronize
+      - reopened
+      - closed
+
+# Declare default permissions as none.
+#
+# Having workflows without setting the permission for the workflow is considered
+# a bad security practice and it is causing alerts from our scanning tools.
+permissions: {}
+
+jobs:
+  # This workflow applies labels to pull requests based on the paths that are
+  # modified in the pull request.
+  #
+  # Edit `.github/labeler.yml` to configure labels.
+  #
+  # For more information, see: https://github.com/actions/labeler
+  label:
+    permissions:
+      pull-requests: write
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    steps:
+      - uses: actions/labeler@a96e5aec3e3d5caaefde174986c02d40560a0b91
+        with:
+          repo-token: "${{ secrets.GITHUB_TOKEN }}"