Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix check-labels workflow commenting on forked PRs #101467

Closed
wants to merge 3 commits into from
Closed

Fix check-labels workflow commenting on forked PRs #101467

wants to merge 3 commits into from

Conversation

kit1980
Copy link
Member

@kit1980 kit1980 commented May 15, 2023

Using pull_request_target allows securely passing the secrets to make comments on a forked PRs.
See more about pull_request_target in https://github.blog/2020-08-03-github-actions-improvements-for-fork-and-pull-request-workflows/

The change was verified in malfet/deleteme#53 - with on pull_request there were no "This PR needs a label" comment, with with on pull_request_target the comment can be posted.

@kit1980 kit1980 requested a review from a team as a code owner May 15, 2023 23:29
@pytorch-bot
Copy link

pytorch-bot bot commented May 15, 2023
edited

🔗 Helpful Links

🧪 See artifacts and rendered test results at hud.pytorch.org/pr/101467

Note: Links to docs will display an error until the docs builds have been completed.

❌ 1 New Failure

As of commit d53e2ab:

NEW FAILURE - The following job has failed:

This comment was automatically generated by Dr. CI and updates every 15 minutes.

@pytorch-bot pytorch-bot bot added the topic: not user facing topic category label May 15, 2023
@kit1980 kit1980 requested a review from malfet May 15, 2023 23:29
malfet
malfet approved these changes May 15, 2023
View reviewed changes
Copy link
Contributor

@malfet malfet left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, but please allow pull_request_target only for PRs targeting main

malfet
malfet reviewed May 15, 2023
View reviewed changes
.github/workflows/check-labels.yml Outdated
Comment on lines 4 to 5
pull_request_target:
types: [opened, synchronize, reopened, labeled, unlabeled]
Copy link
Contributor

@malfet malfet May 15, 2023
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's limit pull_request_target trigger only to PRs that target main branch. And perhaps, to be extra paranoid: only PRs that do not modify any of the .yml files

Suggested change
pull_request_target:
types: [opened, synchronize, reopened, labeled, unlabeled]
pull_request:
types: [opened, synchronize, reopened, labeled, unlabeled]
branches-ignore: [main]
pull_request_target:
types: [opened, synchronize, reopened, labeled, unlabeled]
branches: [main]

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For something bad to happen with non-main branch, the attacker needs to have write permissions to the repo.
And with the write permissions, anything can be changes.
But I'm fine with this change if it feels safer.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Discussed offline, will do the suggested way.

@kit1980 kit1980 mentioned this pull request May 17, 2023
Closed
@pytorch-bot pytorch-bot bot added the ciflow/trunk Trigger trunk jobs on your pull request label May 17, 2023
@pytorch pytorch deleted a comment from pytorchmergebot May 17, 2023
@kit1980
Copy link
Member Author

kit1980 commented May 17, 2023

@pytorchbot merge

@pytorchmergebot
Copy link
Collaborator

The merge job was canceled. If you believe this is a mistake,then you can re trigger it through pytorch-bot.

@pytorchmergebot
Copy link
Collaborator

Merge started

Your change will be merged once all checks pass (ETA 0-4 Hours).

Learn more about merging in the wiki.

Questions? Feedback? Please reach out to the PyTorch DevX Team

Advanced Debugging
Check the merge workflow status
here

jcaip pushed a commit that referenced this pull request May 23, 2023
@kit1980 @jcaip
Fix check-labels workflow commenting on forked PRs (#101467)
76df45a 
Using `pull_request_target` allows securely passing the secrets to make comments on a forked PRs.
See more about `pull_request_target` in https://github.blog/2020-08-03-github-actions-improvements-for-fork-and-pull-request-workflows/

The change was verified in malfet/deleteme#53 - with `on pull_request` there were no "This PR needs a label" comment, with with `on pull_request_target` the comment can be posted.

Pull Request resolved: #101467
Approved by: https://github.com/malfet
@clee2000 clee2000 mentioned this pull request Feb 5, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@malfet malfet malfet approved these changes

Assignees
No one assigned
Labels
ciflow/trunk Trigger trunk jobs on your pull request Merged topic: not user facing topic category
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@kit1980 @pytorchmergebot @malfet