diff --git a/.github/workflows/props-bot.yml b/.github/workflows/props-bot.yml index ad91a53..806ca19 100644 --- a/.github/workflows/props-bot.yml +++ b/.github/workflows/props-bot.yml @@ -1,22 +1,25 @@ name: Props Bot on: - # This event runs anytime a PR is (re)opened, updated, or labeled. + # This event runs anytime a PR is (re)opened, updated, marked ready for review, or labeled. # GitHub does not allow filtering the `labeled` event by a specific label. # However, the logic below will short-circuit the workflow when the `props-bot` label is not the one being added. - pull_request: + # Note: The pull_request_target event is used instead of pull_request because this workflow needs permission to comment + # on the pull request. Because this event grants extra permissions to `GITHUB_TOKEN`, any code changes within the PR + # should be considered untrusted. See https://securitylab.github.com/research/github-actions-preventing-pwn-requests/. + pull_request_target: types: - opened - synchronize - reopened - labeled + - ready_for_review # This event runs anytime a comment is added or deleted. # You cannot filter this event for PR comments only. # However, the logic below does short-circuit the workflow for issues. issue_comment: type: - created - - deleted # This event will run everytime a new PR review is initially submitted. pull_request_review: types: @@ -25,13 +28,12 @@ on: pull_request_review_comment: types: - created - - deleted # Cancels all previous workflow runs for pull requests that have not completed. concurrency: # The concurrency group contains the workflow name and the branch name for pull requests # or the commit hash for any other events. - group: ${{ github.workflow }}-${{ contains( fromJSON( '["pull_request", "pull_request_review", "pull_request_review_comment"]' ), github.event_name ) && github.head_ref || github.sha }} + group: ${{ github.workflow }}-${{ contains( fromJSON( '["pull_request_target", "pull_request_review", "pull_request_review_comment"]' ), github.event_name ) && github.head_ref || github.sha }} cancel-in-progress: true # Disable permissions for all available scopes by default. @@ -52,17 +54,20 @@ jobs: pull-requests: write contents: read timeout-minutes: 20 - # The job should only run if: + # The job will run when pull requests are open, ready for review and: # - # - A pull request review is created or commented on. - # - An issue comment is added to a pull request. - # - A pull request is opened, synchronized, or reopened. + # - A comment is added to the pull request. + # - A review is created or commented on. + # - The pull request is opened, synchronized, marked ready for review, or reopened. # - The `props-bot` label is added to the pull request. if: | - contains( fromJSON( '["pull_request_review", "pull_request_review_comment"]' ), github.event_name ) || - ( github.event_name == 'issue_comment' && github.event.issue.pull_request ) || - github.event_name == 'pull_request' && github.event.action != 'labeled' || - 'props-bot' == github.event.label.name + ( + github.event_name == 'issue_comment' && github.event.issue.pull_request || + contains( fromJSON( '["pull_request_review", "pull_request_review_comment"]' ), github.event_name ) || + github.event_name == 'pull_request_target' && github.event.action != 'labeled' || + 'props-bot' == github.event.label.name + ) && + ( ! github.event.pull_request.draft && github.event.pull_request.state == 'open' || ! github.event.issue.draft && github.event.issue.state == 'open' ) steps: - name: Gather a list of contributors