From e921d9b78e7d7a1b82f1f7c3aff61956d1662498 Mon Sep 17 00:00:00 2001 From: Chris Evich Date: Thu, 15 Sep 2022 16:15:45 -0400 Subject: [PATCH] GHA: Attach labeler context to to PR target-branch Unlike the vast majority of CI systems, GitHub Action workflow YAML is sourced differently at runtime based on the trigger type. This can creates a "gotcha" for maintainers because the action is operating on a PR but the job definition comes from `main`. Therefore over-time, with respect to the 'labeler' workflow, the semantics of both labels and globs (in `.github/labeler.yml`) may diverge between release branches and `main`. Fix this by leveraging the "reusable workflows" feature in the `labeler.yml` worflow (on `main`), to call the new `_labeler.yml` workflow YAML on the target branch of the PR. This allows changes to both the `_labeler.yml` workflow and `.github/labeler.yml` globs to follow branch-content instead of main. Note: Any branch which does not contain `.github/workflows/_labeler.yml` and `.github/labeler.yml` files will fail. This can be corrected as needed by backporting those files and making any needed branch-specific updates. Signed-off-by: Chris Evich --- .github/workflows/_labeler.yml | 27 +++++++++++++++++++++++++++ .github/workflows/labeler.yml | 32 +++++++++++++++++++++----------- 2 files changed, 48 insertions(+), 11 deletions(-) create mode 100644 .github/workflows/_labeler.yml diff --git a/.github/workflows/_labeler.yml b/.github/workflows/_labeler.yml new file mode 100644 index 0000000000..5beca0c9e0 --- /dev/null +++ b/.github/workflows/_labeler.yml @@ -0,0 +1,27 @@ +--- + +# This workflow is not intended to be used directly. Please +# see `labeler.yml` comments to understand why. +on: workflow_call + +jobs: + triage: + permissions: + contents: read + # **WARNING** **WARNING** **WARNING** **WARNING** **WARNING** + # + # This workflow uses pull-request --> WRITE <-- Permissions. + # Please carefully review any/all changes proposed below, + # that they do not attempt to to perform a PR merge. + # + # **WARNING** **WARNING** **WARNING** **WARNING** **WARNING** + pull-requests: write + runs-on: ubuntu-latest + steps: + # https://github.com/actions/labeler + - uses: actions/labeler@v4 + # The v4 code of this action reads the glob-YAML from the triggering + # PR context (via the `$GITHUB_SHA` value): + # https://github.com/actions/labeler/blob/v4/src/labeler.ts#L119 + with: + repo-token: "${{secrets.GITHUB_TOKEN}}" diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml index 64505bbfee..d564bfd3ee 100644 --- a/.github/workflows/labeler.yml +++ b/.github/workflows/labeler.yml @@ -1,15 +1,25 @@ -# https://github.com/actions/labeler name: "Pull Request Labeler" on: -- pull_request_target + # IMPORTANT NOTE: The actual workflow YAML used for a run may not + # be what you expect! Specifically, the `pull_request_target` + # trigger uses the workflow YAML as-is on the `main` branch at + # the time. + - pull_request_target jobs: - triage: - permissions: - contents: read - pull-requests: write - runs-on: ubuntu-latest - steps: - - uses: actions/labeler@v4 - with: - repo-token: "${{ secrets.GITHUB_TOKEN }}" + # Avoid any label-semantic conflicts between `main` and any PR's target + # branch, by redirecting execution to the workflow YAML as defined + # in the branch targeted by the PR (`github.base_ref`). This also + # implies PR's cannot directly modify the workflow YAML (which has + # repository-write permissions) before being merged into a branch. + # Ref: https://docs.github.com/en/actions/using-workflows/reusing-workflows + triage: + # Note `github.base_ref` is: "The base_ref or target branch of the pull + # request in a workflow run. This property is only available when the + # event that triggers a workflow run is either pull_request or + # pull_request_target" + uses: ${{github.repository}}/.github/workflows/_labeler.yml@${{github.base_ref}} + secrets: inherit + permissions: + contents: read + pull-requests: write