Fix check-labels workflow commenting on forked PRs (#101467)

Using `pull_request_target` allows securely passing the secrets to make comments on a forked PRs. See more about `pull_request_target` in https://github.blog/2020-08-03-github-actions-improvements-for-fork-and-pull-request-workflows/ The change was verified in malfet/deleteme#53 - with `on pull_request` there were no "This PR needs a label" comment, with with `on pull_request_target` the comment can be posted. Pull Request resolved: #101467 Approved by: https://github.com/malfet
pytorch · May 22, 2023 · 76df45a · 76df45a
1 parent 46518c2
commit 76df45a
Showing 1 changed file with 14 additions and 0 deletions.
diff --git a/.github/workflows/check-labels.yml b/.github/workflows/check-labels.yml
@@ -1,8 +1,22 @@
 name: Check Labels
 
 on:
+  # We need pull_request_target to be able to post comments on PRs from forks.
+  # Only allow pull_request_target when merging to main, not some historical branch.
+  #
+  # Make sure to don't introduce explicit checking out and installing/running
+  # untrusted user code into this workflow!
+  pull_request_target:
+    types: [opened, synchronize, reopened, labeled, unlabeled]
+    branches: [main]
+    paths-ignore: [.github]
+
+  # To allow testing PRs that change workflows.
+  # May be triggered together with pull_request_target, it's OK.
   pull_request:
     types: [opened, synchronize, reopened, labeled, unlabeled]
+    paths: [.github]
+
   workflow_dispatch:
 
 concurrency: