Skip to content

CI: AssignCommitter.yml: Use the on: pull_request_target event (not the on: pull_request event) #4

CI: AssignCommitter.yml: Use the on: pull_request_target event (not the on: pull_request event)

CI: AssignCommitter.yml: Use the on: pull_request_target event (not the on: pull_request event) #4

Workflow file for this run

name: Assign Committer
on:
# Important security note: Do NOT use `actions/checkout`
# or any other method for checking out the pull request's source code.
# This is because the pull request's source code is untrusted, but the
# GITHUB_TOKEN has write permissions (because of the `on: pull_request_target` event).
#
# Quoting from the GitHub Docs:
# > For workflows that are triggered by the pull_request_target event, the GITHUB_TOKEN is granted
# > read/write repository permission unless the permissions key is specified and the workflow can access secrets,
# > even when it is triggered from a fork.
# >
# > Although the workflow runs in the context of the base of the pull request,
# > you should make sure that you do not check out, build, or run untrusted code from the pull request with this event.
#
# Source: https://docs.github.com/en/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows#pull_request_target
#
# See also: https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/
pull_request:
types: [opened, reopened, ready_for_review]
permissions:
pull-requests: write
jobs:
assign-reviewer:
runs-on: ubuntu-latest
if: ${{ github.event.pull_request.draft != true }}
steps:
# Important security note: As discussed above, do NOT use `actions/checkout`
# or any other method for checking out the pull request's source code.
# This is because the pull request's source code is untrusted, but the
# GITHUB_TOKEN has write permissions (because of the `on: pull_request_target` event).
- name: Add Assignee
uses: actions/github-script@v7
with:
script: |
if (context.payload.pull_request.assignees.length === 0) {
// Find suitable assignees
const { data: members } = await github.rest.teams.listMembersInOrg({ // TODO This needs read:org permission
org: "JuliaLang",
team_slug: "committers",
per_page: 100, // TODO: use pagination once we have more than 100 committers
});
const member_logins = members.map(member => member.login);
// Skip PRs authored by committers
const prAuthor = context.payload.pull_request.user.login;
if (!member_logins.includes(prAuthor)) {
// Assign random committer
await github.rest.issues.addAssignees({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: context.payload.pull_request.number,
assignees: member_logins[Math.floor(Math.random()*member_logins.length)],
});
// Add the "pr review" label
await github.rest.issues.addLabels({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: context.payload.pull_request.number,
labels: ['status: waiting for PR reviewer'],
});
}
}