From 32b3761d32076d29ebaf050ae16846dba2afab41 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Carlos=20S=C3=A1nchez=20L=C3=B3pez?= <1175054+carlossanlop@users.noreply.github.com> Date: Tue, 4 Feb 2025 16:05:19 -0800 Subject: [PATCH 1/3] Change some workflows using `pull_request` to use `pull_request_target` instead (#112161) * Change workflows to use pull_request_target instead of pull_request event * Add CODEOWNERS entry * Add initial readme --- .github/CODEOWNERS | 1 + .github/workflows/README.md | 6 ++++++ .github/workflows/check-no-merge-label.yml | 25 ++++++++++++++++++++++ .github/workflows/check-service-labels.yml | 4 ++-- 4 files changed, 34 insertions(+), 2 deletions(-) create mode 100644 .github/workflows/README.md create mode 100644 .github/workflows/check-no-merge-label.yml diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 22648cbe1e4e8d..c99c8f6e988a5f 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -101,3 +101,4 @@ /docs/area-owners.* @jeffhandley /docs/issue*.md @jeffhandley /.github/fabricbot.json @jeffhandley +/.github/workflows/ @dotnet/runtime-infrastructure diff --git a/.github/workflows/README.md b/.github/workflows/README.md new file mode 100644 index 00000000000000..308cb2d1a85b6b --- /dev/null +++ b/.github/workflows/README.md @@ -0,0 +1,6 @@ +# Workflows + +General guidance: + +- Please make sure to include the @dotnet/runtime-infrastructure group as a reviewer of your PRs. +- Do not use the `pull_request` event. Use `pull_request_target` instead, as documented in [Workflows in forked repositories](https://docs.github.com/en/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows#workflows-in-forked-repositories) and [pull_request_target](https://docs.github.com/en/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows#pull_request_target). diff --git a/.github/workflows/check-no-merge-label.yml b/.github/workflows/check-no-merge-label.yml new file mode 100644 index 00000000000000..37cc7adf20596b --- /dev/null +++ b/.github/workflows/check-no-merge-label.yml @@ -0,0 +1,25 @@ +name: check-no-merge-label + +permissions: + pull-requests: read + +on: + pull_request_target: + types: [labeled, unlabeled] + branches: + - 'main' + - 'release/**' + +jobs: + check-labels: + runs-on: ubuntu-latest + steps: + - name: Check 'NO-MERGE' label + run: | + echo "Merging permission is disabled when the 'NO-MERGE' label is applied." + if [ "${{ contains(github.event.pull_request.labels.*.name, 'NO-MERGE') }}" = "false" ]; then + exit 0 + else + echo "::error:: The 'NO-MERGE' label was applied to the PR. Merging is disabled." + exit 1 + fi diff --git a/.github/workflows/check-service-labels.yml b/.github/workflows/check-service-labels.yml index 5261cc165ee128..b0061cbdca21c0 100644 --- a/.github/workflows/check-service-labels.yml +++ b/.github/workflows/check-service-labels.yml @@ -4,8 +4,8 @@ permissions: pull-requests: read on: - pull_request: - types: [opened, edited, reopened, labeled, unlabeled, synchronize] + pull_request_target: + types: [labeled, unlabeled] branches: - 'release/**' From f683395afaa5e364e82b70cd64c9e49ae2e644a5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Carlos=20S=C3=A1nchez=20L=C3=B3pez?= <1175054+carlossanlop@users.noreply.github.com> Date: Wed, 5 Feb 2025 16:58:28 -0800 Subject: [PATCH 2/3] Add repo-specific condition to labeling workflows (#112169) * Condition labeling workflows to only run on dotnet/runtime. * Improve readme * Add jeffhandley as explicit workflow owner Co-authored-by: Jeff Handley --- .github/CODEOWNERS | 2 +- .github/workflows/README.md | 20 ++++++++++++++++++-- .github/workflows/check-no-merge-label.yml | 1 + .github/workflows/check-service-labels.yml | 1 + 4 files changed, 21 insertions(+), 3 deletions(-) diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index c99c8f6e988a5f..d7ecccb46ca92b 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -101,4 +101,4 @@ /docs/area-owners.* @jeffhandley /docs/issue*.md @jeffhandley /.github/fabricbot.json @jeffhandley -/.github/workflows/ @dotnet/runtime-infrastructure +/.github/workflows/ @jeffhandley @dotnet/runtime-infrastructure diff --git a/.github/workflows/README.md b/.github/workflows/README.md index 308cb2d1a85b6b..f5e7799b30e2a2 100644 --- a/.github/workflows/README.md +++ b/.github/workflows/README.md @@ -2,5 +2,21 @@ General guidance: -- Please make sure to include the @dotnet/runtime-infrastructure group as a reviewer of your PRs. -- Do not use the `pull_request` event. Use `pull_request_target` instead, as documented in [Workflows in forked repositories](https://docs.github.com/en/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows#workflows-in-forked-repositories) and [pull_request_target](https://docs.github.com/en/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows#pull_request_target). +Please make sure to include the @dotnet/runtime-infrastructure group as a reviewer of your PRs. + +For workflows that are triggered by pull requests, refer to GitHub's documentation for the `pull_request` and `pull_request_target` events. The `pull_request_target` event is the more common use case in this repository as it runs the workflow in the context of the target branch instead of in the context of the pull request's fork or branch. However, workflows that need to consume the contents of the pull request need to use the `pull_request` event. There are security considerations with each of the events though. + +Most workflows are intended to run only in the `dotnet/runtime` repository and not in forks. To force workflow jobs to be skipped in forks, each job should apply an `if` statement that checks the repository name or owner. Either approach works, but checking only the repository owner allows the workflow to run in copies or forks withing the dotnet org. + +```yaml +jobs: + job-1: + # Do not run this job in forks + if: github.repository == 'dotnet/runtime' + + job-2: + # Do not run this job in forks outside the dotnet org + if: github.repository_owner == 'dotnet' +``` + +Refer to GitHub's [Workflows in forked repositories](https://docs.github.com/en/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows#workflows-in-forked-repositories) and [pull_request_target](https://docs.github.com/en/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows#pull_request_target) documentation for more information. diff --git a/.github/workflows/check-no-merge-label.yml b/.github/workflows/check-no-merge-label.yml index 37cc7adf20596b..55154410c2c09d 100644 --- a/.github/workflows/check-no-merge-label.yml +++ b/.github/workflows/check-no-merge-label.yml @@ -12,6 +12,7 @@ on: jobs: check-labels: + if: github.repository == 'dotnet/runtime' runs-on: ubuntu-latest steps: - name: Check 'NO-MERGE' label diff --git a/.github/workflows/check-service-labels.yml b/.github/workflows/check-service-labels.yml index b0061cbdca21c0..9507f999c8e788 100644 --- a/.github/workflows/check-service-labels.yml +++ b/.github/workflows/check-service-labels.yml @@ -11,6 +11,7 @@ on: jobs: check-labels: + if: github.repository == 'dotnet/runtime' runs-on: ubuntu-latest steps: - name: Check 'Servicing-approved' label From 400f4cfd7b8fdff8d69710ce8acf6b10ad050a01 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Carlos=20S=C3=A1nchez=20L=C3=B3pez?= <1175054+carlossanlop@users.noreply.github.com> Date: Tue, 11 Feb 2025 13:50:44 -0600 Subject: [PATCH 3/3] Apply suggestions from code review --- .github/workflows/check-service-labels.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/check-service-labels.yml b/.github/workflows/check-service-labels.yml index 6cc9bfddd5c6b2..c158ff6f1520d6 100644 --- a/.github/workflows/check-service-labels.yml +++ b/.github/workflows/check-service-labels.yml @@ -5,7 +5,7 @@ permissions: on: pull_request_target: - types: [labeled, unlabeled] + types: [opened, reopened, labeled, unlabeled] branches: - 'release/**'