Label PRs with change type according to changelog #1769
Conversation
.github/workflows/prepare-new-pr.yml
Outdated
| permissions: | ||
| pull-requests: write |
There was a problem hiding this comment.
I suspect this only worked in your test because the PR wasn't from a forked repo:
The
GITHUB_TOKENhas read-only permissions in pull requests from forked repositories.
this kind of automation probably requires pull_request_target, which brings security considerations
There was a problem hiding this comment.
It was necessary in my fork and failed without it.
`I assume it should not even be necessary in the original repo since
There was a problem hiding this comment.
thanks! yeah, you're right.
So the pull_request_target executes workflows from the target branch (main) where the GH_TOKEN will be exposed to the version of this script checked into main. Is there any security concern with it?
I believe it's used today by collector and .net and in the https://github.com/open-telemetry/assign-reviewers-action, so I assume it's considered to be safe and ok to use
There was a problem hiding this comment.
I believe it's used today by collector and .net and in the https://github.com/open-telemetry/assign-reviewers-action
these don't also check out the PR branch though, which is where things get tricky
e.g. you don't want to run a build on the PR branch, since PR could modify the build steps and print out secrets
your automation only needs to read a file, which sounds safe, but I'm not sure if the checkout alone could be compromised, e.g. by a post-checkout hook that prints out secrets (I'll test this... now I'm curious...)
There was a problem hiding this comment.
ah, git hooks have to be explicitly enabled after checkout, e.g. git config --local core.hooksPath .githooks/, so that seems safe
I'm good with pursuing this, just want to be careful about it
| pull-requests: write | ||
| if: ${{ github.repository_owner == 'open-telemetry' }} | ||
| steps: | ||
| - uses: actions/checkout@v4 |
There was a problem hiding this comment.
I think this defaults to checking out main after switching to pull_request_target (I suspect due to the security concerns), I think need:
| - uses: actions/checkout@v4 | |
| - uses: actions/checkout@v4 | |
| with: | |
| ref: ${{ github.head_ref }} |
| echo "Change log file(s): ${CHLOG}" | ||
|
|
||
| if [ -z "$CHLOG" ]; then | ||
| echo "No changelog found in the PR. Ignoring this change." |
There was a problem hiding this comment.
Trick here, because people may forget to add the changelog and this will only run on PR open. Once they add it later no label will be there. Maybe we also have to run it on push?
This allows to label PRs as "breaking" simplifying filtering and querying breaking changes before they are released.
Tested here lmolkova#6
Merge requirement checklist
[chore]