CI: AssignCommitter.yml: Use the on: pull_request_target event (not the on: pull_request event)
#4
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Assign Committer | |
| on: | |
| # Important security note: Do NOT use `actions/checkout` | |
| # or any other method for checking out the pull request's source code. | |
| # This is because the pull request's source code is untrusted, but the | |
| # GITHUB_TOKEN has write permissions (because of the `on: pull_request_target` event). | |
| # | |
| # Quoting from the GitHub Docs: | |
| # > For workflows that are triggered by the pull_request_target event, the GITHUB_TOKEN is granted | |
| # > read/write repository permission unless the permissions key is specified and the workflow can access secrets, | |
| # > even when it is triggered from a fork. | |
| # > | |
| # > Although the workflow runs in the context of the base of the pull request, | |
| # > you should make sure that you do not check out, build, or run untrusted code from the pull request with this event. | |
| # | |
| # Source: https://docs.github.com/en/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows#pull_request_target | |
| # | |
| # See also: https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/ | |
| pull_request: | |
| types: [opened, reopened, ready_for_review] | |
| permissions: | |
| pull-requests: write | |
| jobs: | |
| assign-reviewer: | |
| runs-on: ubuntu-latest | |
| if: ${{ github.event.pull_request.draft != true }} | |
| steps: | |
| # Important security note: As discussed above, do NOT use `actions/checkout` | |
| # or any other method for checking out the pull request's source code. | |
| # This is because the pull request's source code is untrusted, but the | |
| # GITHUB_TOKEN has write permissions (because of the `on: pull_request_target` event). | |
| - name: Add Assignee | |
| uses: actions/github-script@v7 | |
| with: | |
| script: | | |
| if (context.payload.pull_request.assignees.length === 0) { | |
| // Find suitable assignees | |
| const { data: members } = await github.rest.teams.listMembersInOrg({ // TODO This needs read:org permission | |
| org: "JuliaLang", | |
| team_slug: "committers", | |
| per_page: 100, // TODO: use pagination once we have more than 100 committers | |
| }); | |
| const member_logins = members.map(member => member.login); | |
| // Skip PRs authored by committers | |
| const prAuthor = context.payload.pull_request.user.login; | |
| if (!member_logins.includes(prAuthor)) { | |
| // Assign random committer | |
| await github.rest.issues.addAssignees({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| issue_number: context.payload.pull_request.number, | |
| assignees: member_logins[Math.floor(Math.random()*member_logins.length)], | |
| }); | |
| // Add the "pr review" label | |
| await github.rest.issues.addLabels({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| issue_number: context.payload.pull_request.number, | |
| labels: ['status: waiting for PR reviewer'], | |
| }); | |
| } | |
| } |