From f5307e4bd4e8a63911cf34c93fb364788ac0d67c Mon Sep 17 00:00:00 2001
From: Matt Fiddaman <github@m.fiddaman.uk>
Date: Wed, 19 Jun 2024 21:22:47 +0100
Subject: [PATCH] Copy trafico workflow from actual (#380)

---
 .github/workflows/trafico.yml | 39 +++++++++++++++++++++++++++++++++++
 upcoming-release-notes/380.md |  6 ++++++
 2 files changed, 45 insertions(+)
 create mode 100644 .github/workflows/trafico.yml
 create mode 100644 upcoming-release-notes/380.md

diff --git a/.github/workflows/trafico.yml b/.github/workflows/trafico.yml
new file mode 100644
index 000000000..c39fb0668
--- /dev/null
+++ b/.github/workflows/trafico.yml
@@ -0,0 +1,39 @@
+##########################################################################################
+# WARNING! This workflow uses the 'pull_request_target' event. That mans that it will    #
+# always run in the context of the main actualbudget/actual repo, even if the PR is from #
+# a fork. This is necessary to get access to a GitHub token that can modify the PR.      #
+# Be VERY CAREFUL about adding things to this workflow, since forks can inject           #
+# arbitrary code into their branch, and can pollute the artifacts we download. Arbitrary #
+# code execution in this workflow could lead to a compromise of the main repo.           #
+##########################################################################################
+# See: https://securitylab.github.com/research/github-actions-preventing-pwn-requests    #
+##########################################################################################
+
+name: Trafico Reviews
+
+on:
+  pull_request_target:
+    types:
+     - opened
+     - closed
+     - reopened
+     - synchronize
+     - edited
+     - review_requested
+     - review_request_removed
+  pull_request_review:
+    types: [submitted, edited, dismissed]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  manage-review:
+    runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
+    steps:
+      - uses: actualbudget/trafico@main
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
\ No newline at end of file
diff --git a/upcoming-release-notes/380.md b/upcoming-release-notes/380.md
new file mode 100644
index 000000000..ec202c955
--- /dev/null
+++ b/upcoming-release-notes/380.md
@@ -0,0 +1,6 @@
+---
+category: Maintenance
+authors: [twk3]
+---
+
+Switch to using a Trafico GitHub action to restore review management.