From 8d1c1ef1e6b223d1e335f16999823aa4199a16b7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tobiasz=20K=C4=99dzierski?= Date: Sun, 25 Jul 2021 16:22:09 +0200 Subject: [PATCH] [Community] Fix PR labeling github action workflow (#6279) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit My change is the fix and improvement for github action which labels approved PRs (introduced in this [PR](https://github.com/apache/incubator-doris/pull/6239)). It is inspired by solution introduced and tested in [Apache Airflow](https://github.com/apache/airflow) (thanks @potiuk @ashb 🚀 ) Corresponding Apache Airflow workflows on which I based this PR: - https://github.com/apache/airflow/blob/main/.github/workflows/label_when_reviewed.yml - https://github.com/apache/airflow/blob/main/.github/workflows/label_when_reviewed_workflow_run.yml Problems which were solved in this PR: - **Permissions**. @morningman opened a related bug: [[Help] Error: Resource not accessible by integration](https://github.com/TobKed/label-when-approved-action/issues/7). It is related to limited permissions of workflows being triggered by `pull_request_review` (`GITHUB_TOKEN` has read-only permissions). More information about it you can find in the article: [Keeping your GitHub Actions and workflows secure: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/). TL;DR: On pull request review event (`on: pull_request_review` ) "dummy" workflow `Label when reviewed` triggers another workflow `Label when approved workflow run` which has sufficient permissions (`on: workflow_run: workflows: ["Label when reviewed"]`). - **Safe use of 3rd-party Github Actions by using submodules pattern.** It is decribed in: https://cwiki.apache.org/confluence/display/BUILDS/GitHub+Actions+status > NEVER use 3rd-party actions directly in your workflows - use the "submodule" pattern. This pattern is successfully used by projects like: - [Apache Airflow](https://github.com/apache/airflow) ([PR](https://github.com/apache/airflow/pull/13514#)) - [Apache Beam](https://github.com/apache/beam) ([PR](https://github.com/apache/beam/pull/13736)) - [Apache Superset](https://github.com/apache/superset) ([PR](https://github.com/apache/superset/pull/12709)) --- .github/actions/get-workflow-origin | 1 + .github/actions/label-when-approved-action | 1 + .github/workflows/approve-label-trigger.yml | 28 ++++++++++++ .github/workflows/approve-label.yml | 48 ++++++++++++++++++--- .gitmodules | 6 +++ 5 files changed, 79 insertions(+), 5 deletions(-) create mode 160000 .github/actions/get-workflow-origin create mode 160000 .github/actions/label-when-approved-action create mode 100644 .github/workflows/approve-label-trigger.yml create mode 100644 .gitmodules diff --git a/.github/actions/get-workflow-origin b/.github/actions/get-workflow-origin new file mode 160000 index 00000000000000..588cc14f9f1cdf --- /dev/null +++ b/.github/actions/get-workflow-origin @@ -0,0 +1 @@ +Subproject commit 588cc14f9f1cdf1b8be3db816855e96422204fec diff --git a/.github/actions/label-when-approved-action b/.github/actions/label-when-approved-action new file mode 160000 index 00000000000000..0058d0094da27e --- /dev/null +++ b/.github/actions/label-when-approved-action @@ -0,0 +1 @@ +Subproject commit 0058d0094da27e116fad6e0da516ebe1107f26de diff --git a/.github/workflows/approve-label-trigger.yml b/.github/workflows/approve-label-trigger.yml new file mode 100644 index 00000000000000..1a9cb8415ff7bc --- /dev/null +++ b/.github/workflows/approve-label-trigger.yml @@ -0,0 +1,28 @@ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# +--- +name: Label when reviewed +on: pull_request_review +jobs: + + label-when-reviewed: + name: "Label PRs when reviewed" + runs-on: ubuntu-latest + steps: + - name: "Do nothing. Only trigger corresponding workflow_run event" + run: echo diff --git a/.github/workflows/approve-label.yml b/.github/workflows/approve-label.yml index dfde7dbc6f733a..f02257865e35ed 100644 --- a/.github/workflows/approve-label.yml +++ b/.github/workflows/approve-label.yml @@ -1,5 +1,31 @@ -name: Label when approved -on: pull_request_review +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# +--- +name: Label when approved workflow run +on: + workflow_run: + workflows: ["Label when reviewed"] + types: ['requested'] +permissions: + # All other permissions are set to none + checks: write + contents: read + pull-requests: write jobs: @@ -10,20 +36,32 @@ jobs: isApprovedByCommiters: ${{ steps.label-when-approved-by-commiters.outputs.isApproved }} isApprovedByAnyone: ${{ steps.label-when-approved-by-anyone.outputs.isApproved }} steps: + - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )" + uses: actions/checkout@v2 + with: + persist-credentials: false + submodules: recursive + - name: "Get information about the original trigger of the run" + uses: ./.github/actions/get-workflow-origin + id: source-run-info + with: + token: ${{ secrets.GITHUB_TOKEN }} + sourceRunId: ${{ github.event.workflow_run.id }} - name: Label when approved by commiters - uses: TobKed/label-when-approved-action@v1.3 + uses: ./.github/actions/label-when-approved-action id: label-when-approved-by-commiters with: token: ${{ secrets.GITHUB_TOKEN }} label: 'approved' require_committers_approval: 'true' remove_label_when_approval_missing: 'true' + pullRequestNumber: ${{ steps.source-run-info.outputs.pullRequestNumber }} comment: 'PR approved by at least one committer and no changes requested.' - name: Label when approved by anyone - uses: TobKed/label-when-approved-action@v1.3 + uses: ./.github/actions/label-when-approved-action id: label-when-approved-by-anyone with: token: ${{ secrets.GITHUB_TOKEN }} label: 'reviewed' + pullRequestNumber: ${{ steps.source-run-info.outputs.pullRequestNumber }} comment: 'PR approved by anyone and no changes requested.' - diff --git a/.gitmodules b/.gitmodules new file mode 100644 index 00000000000000..0d295cb2aa86d3 --- /dev/null +++ b/.gitmodules @@ -0,0 +1,6 @@ +[submodule ".github/actions/label-when-approved-action"] + path = .github/actions/label-when-approved-action + url = https://github.com/TobKed/label-when-approved-action +[submodule ".github/actions/get-workflow-origin"] + path = .github/actions/get-workflow-origin + url = https://github.com/potiuk/get-workflow-origin.git