database/doris
2
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity
Files
4ac38ca67adce44ba2e8a574d052dcd6ea342a11
doris/.github/workflows/approve-label.yml
Tobiasz Kędzierski 8d1c1ef1e6 [Community] Fix PR labeling github action workflow (#6279) 
My change is the fix and improvement for github action which labels approved PRs (introduced in this [PR](https://github.com/apache/incubator-doris/pull/6239)).

It is inspired by solution introduced and tested in [Apache Airflow](https://github.com/apache/airflow) (thanks @potiuk @ashb 🚀 )

Corresponding Apache Airflow workflows on which I based this PR:
 - https://github.com/apache/airflow/blob/main/.github/workflows/label_when_reviewed.yml
 - https://github.com/apache/airflow/blob/main/.github/workflows/label_when_reviewed_workflow_run.yml

Problems which were solved in this PR:

 - **Permissions**.
  @morningman opened a related bug: [[Help] Error: Resource not accessible by integration](https://github.com/TobKed/label-when-approved-action/issues/7). It is related to limited permissions of workflows being triggered by `pull_request_review` (`GITHUB_TOKEN` has read-only permissions). More information about it you can find in the article:  [Keeping your GitHub Actions and workflows secure: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/).
   TL;DR:  On pull request review event (`on: pull_request_review` ) "dummy" workflow `Label when reviewed` triggers another workflow `Label when approved workflow run` which has sufficient permissions (`on:  workflow_run:  workflows: ["Label when reviewed"]`).

 - **Safe use of 3rd-party Github Actions by using submodules pattern.**  It is decribed in:    
 https://cwiki.apache.org/confluence/display/BUILDS/GitHub+Actions+status

    >  NEVER use 3rd-party actions directly in your workflows - use the "submodule" pattern.
    
    This pattern is successfully used by projects like:
     - [Apache Airflow](https://github.com/apache/airflow) ([PR](https://github.com/apache/airflow/pull/13514#))
     - [Apache Beam](https://github.com/apache/beam) ([PR](https://github.com/apache/beam/pull/13736))
     - [Apache Superset](https://github.com/apache/superset) ([PR](https://github.com/apache/superset/pull/12709))
2021-07-25 22:22:09 +08:00

68 lines
2.6 KiB
YAML
Raw Blame History

# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
#
---
name: Label when approved workflow run
on:
workflow_run:
workflows: ["Label when reviewed"]
types: ['requested']
permissions:
# All other permissions are set to none
checks: write
contents: read
pull-requests: write
jobs:
label-when-approved:
name: "Label when approved"
runs-on: ubuntu-latest
outputs:
isApprovedByCommiters: ${{ steps.label-when-approved-by-commiters.outputs.isApproved }}
isApprovedByAnyone: ${{ steps.label-when-approved-by-anyone.outputs.isApproved }}
steps:
- name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
uses: actions/checkout@v2
with:
persist-credentials: false
submodules: recursive
- name: "Get information about the original trigger of the run"
uses: ./.github/actions/get-workflow-origin
id: source-run-info
with:
token: ${{ secrets.GITHUB_TOKEN }}
sourceRunId: ${{ github.event.workflow_run.id }}
- name: Label when approved by commiters
uses: ./.github/actions/label-when-approved-action
id: label-when-approved-by-commiters
with:
token: ${{ secrets.GITHUB_TOKEN }}
label: 'approved'
require_committers_approval: 'true'
remove_label_when_approval_missing: 'true'
pullRequestNumber: ${{ steps.source-run-info.outputs.pullRequestNumber }}
comment: 'PR approved by at least one committer and no changes requested.'
- name: Label when approved by anyone
uses: ./.github/actions/label-when-approved-action
id: label-when-approved-by-anyone
with:
token: ${{ secrets.GITHUB_TOKEN }}
label: 'reviewed'
pullRequestNumber: ${{ steps.source-run-info.outputs.pullRequestNumber }}
comment: 'PR approved by anyone and no changes requested.'
Reference in New Issue View Git Blame Copy Permalink