[Community] Fix PR labeling github action workflow (#6279)

My change is the fix and improvement for github action which labels approved PRs (introduced in this [PR](#6239)). It is inspired by solution introduced and tested in [Apache Airflow](https://github.com/apache/airflow) (thanks @potiuk @ashb 🚀 ) Corresponding Apache Airflow workflows on which I based this PR: - https://github.com/apache/airflow/blob/main/.github/workflows/label_when_reviewed.yml - https://github.com/apache/airflow/blob/main/.github/workflows/label_when_reviewed_workflow_run.yml Problems which were solved in this PR: - **Permissions**. @morningman opened a related bug: [[Help] Error: Resource not accessible by integration](TobKed/label-when-approved-action#7). It is related to limited permissions of workflows being triggered by `pull_request_review` (`GITHUB_TOKEN` has read-only permissions). More information about it you can find in the article: [Keeping your GitHub Actions and workflows secure: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/). TL;DR: On pull request review event (`on: pull_request_review` ) "dummy" workflow `Label when reviewed` triggers another workflow `Label when approved workflow run` which has sufficient permissions (`on: workflow_run: workflows: ["Label when reviewed"]`). - **Safe use of 3rd-party Github Actions by using submodules pattern.** It is decribed in: https://cwiki.apache.org/confluence/display/BUILDS/GitHub+Actions+status > NEVER use 3rd-party actions directly in your workflows - use the "submodule" pattern. This pattern is successfully used by projects like: - [Apache Airflow](https://github.com/apache/airflow) ([PR](apache/airflow#13514)) - [Apache Beam](https://github.com/apache/beam) ([PR](apache/beam#13736)) - [Apache Superset](https://github.com/apache/superset) ([PR](apache/superset#12709))
apache · Jul 25, 2021 · 8d1c1ef · 8d1c1ef
1 parent 02a00cd
commit 8d1c1ef
Show file tree

Hide file tree

Showing 5 changed files with 79 additions and 5 deletions.
diff --git a/.github/actions/get-workflow-origin b/.github/actions/get-workflow-origin
diff --git a/.github/actions/label-when-approved-action b/.github/actions/label-when-approved-action
diff --git a/.github/workflows/approve-label-trigger.yml b/.github/workflows/approve-label-trigger.yml
@@ -0,0 +1,28 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+---
+name: Label when reviewed
+on: pull_request_review
+jobs:
+
+  label-when-reviewed:
+    name: "Label PRs when reviewed"
+    runs-on: ubuntu-latest
+    steps:
+      - name: "Do nothing. Only trigger corresponding workflow_run event"
+        run: echo
diff --git a/.github/workflows/approve-label.yml b/.github/workflows/approve-label.yml
@@ -1,5 +1,31 @@
-name: Label when approved
-on: pull_request_review
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+---
+name: Label when approved workflow run
+on:
+  workflow_run:
+    workflows: ["Label when reviewed"]
+    types: ['requested']
+permissions:
+  # All other permissions are set to none
+  checks: write
+  contents: read
+  pull-requests: write
 
 jobs:
 
@@ -10,20 +36,32 @@ jobs:
       isApprovedByCommiters: ${{ steps.label-when-approved-by-commiters.outputs.isApproved }}
       isApprovedByAnyone: ${{ steps.label-when-approved-by-anyone.outputs.isApproved }}
     steps:
+      - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
+        uses: actions/checkout@v2
+        with:
+          persist-credentials: false
+          submodules: recursive
+      - name: "Get information about the original trigger of the run"
+        uses: ./.github/actions/get-workflow-origin
+        id: source-run-info
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          sourceRunId: ${{ github.event.workflow_run.id }}
       - name: Label when approved by commiters
-        uses: TobKed/label-when-approved-action@v1.3
+        uses: ./.github/actions/label-when-approved-action
         id: label-when-approved-by-commiters
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           label: 'approved'
           require_committers_approval: 'true'
           remove_label_when_approval_missing: 'true'
+          pullRequestNumber: ${{ steps.source-run-info.outputs.pullRequestNumber }}
           comment: 'PR approved by at least one committer and no changes requested.'
       - name: Label when approved by anyone
-        uses: TobKed/label-when-approved-action@v1.3
+        uses: ./.github/actions/label-when-approved-action
         id: label-when-approved-by-anyone
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           label: 'reviewed'
+          pullRequestNumber: ${{ steps.source-run-info.outputs.pullRequestNumber }}
           comment: 'PR approved by anyone and no changes requested.'
-
diff --git a/.gitmodules b/.gitmodules
@@ -0,0 +1,6 @@
+[submodule ".github/actions/label-when-approved-action"]
+	path = .github/actions/label-when-approved-action
+	url = https://github.com/TobKed/label-when-approved-action
+[submodule ".github/actions/get-workflow-origin"]
+	path = .github/actions/get-workflow-origin
+	url = https://github.com/potiuk/get-workflow-origin.git