Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix "label-pr" workflow for PR from forks #297

Merged
merged 12 commits into from
Sep 28, 2022
Merged

Fix "label-pr" workflow for PR from forks #297

merged 12 commits into from
Sep 28, 2022

Conversation

nilsreichardt
Copy link
Member

@nilsreichardt nilsreichardt commented Sep 27, 2022
edited
Loading

Tested it manually (by using pull_request): https://github.com/SharezoneApp/sharezone-app/actions/runs/3136587111/jobs/5093688752

The workflow is not running for this PR because it's not on our main branch. It will be used when this PR has been merged.

Closes #294

@github-actions github-actions bot added the ci/cd label Sep 27, 2022
@github-actions
Copy link

github-actions bot commented Sep 27, 2022
edited
Loading

Visit the preview URL for this PR (updated for commit 6195340):

https://sharezone-test--pr297-fix-label-pr-for-for-8665qa3m.web.app

(expires Wed, 05 Oct 2022 08:00:37 GMT)

🔥 via Firebase Hosting GitHub Action 🌎

@nilsreichardt nilsreichardt marked this pull request as ready for review September 27, 2022 14:56
Jonas-Sander
Jonas-Sander requested changes Sep 27, 2022
View reviewed changes
.github/workflows/pull_request_label.yml Outdated
#
# Having workflows without default permissions is considered a bad security
# practice and it is causing alerts from our scanning tools.
permissions: read-all
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wouldn't it be better to only grant the permissions that the action actually needs?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Because the repository is public, I don't think you can not read with the GITHUB_TOKEN things that are not already public. But I changed it to permissions: {} which disables all permission and it still works 👍

Jonas-Sander
Jonas-Sander approved these changes Sep 27, 2022
View reviewed changes
Copy link
Collaborator

@Jonas-Sander Jonas-Sander left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, See comment above though

.github/workflows/pull_request_label.yml Outdated
Comment on lines 25 to 26
# Having workflows without default permissions is considered a bad security
# practice and it is causing alerts from our scanning tools.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
# Having workflows without default permissions is considered a bad security
# practice and it is causing alerts from our scanning tools.
# Having workflows with default permissions is considered a bad security
# practice and it is causing alerts from our scanning tools.

Shouldn't it be this?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It means the default permission in workflow. In this case

permissions: {}

@nilsreichardt nilsreichardt enabled auto-merge (squash) September 28, 2022 08:00
@nilsreichardt nilsreichardt merged commit c31021f into main Sep 28, 2022
@nilsreichardt nilsreichardt deleted the fix-label-pr-for-forks branch September 28, 2022 08:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Jonas-Sander Jonas-Sander Jonas-Sander approved these changes

Assignees
No one assigned
Labels
ci/cd
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Workflow "label-pr" is not working when a PR is opened from a fork
2 participants
@nilsreichardt @Jonas-Sander