From 95b4ee8ca9d4d5ae856086d9e91fb6bb0f0485f7 Mon Sep 17 00:00:00 2001 From: Akib Rhast Date: Fri, 18 Jun 2021 21:33:27 -0400 Subject: [PATCH] Update comment on gh action add-issue-labels-to-pr (#1758) The comments added to the action clarifies and notes the decision behind the usage of the event `pull_request_target` instead of `pull_request` --- .github/workflows/add-issue-labels-to-pr.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/add-issue-labels-to-pr.yml b/.github/workflows/add-issue-labels-to-pr.yml index ede1af7877..3ae837638b 100644 --- a/.github/workflows/add-issue-labels-to-pr.yml +++ b/.github/workflows/add-issue-labels-to-pr.yml @@ -1,6 +1,11 @@ # Name that appears on the workflow name: Add Linked Issue Labels to Pull Request on: + # github actions triggered by a pull request runs with only read only context due to security and safety reasons(this is the expected behaviour), + # as such the event trigger `pull_request` could not be used in this action, since this action needs to make a repository edit. + # To bypass this github has provided the event trigger `pull_request_target`, more information regarding this can be found here + # - https://github.blog/changelog/2021-02-19-github-actions-workflows-triggered-by-dependabot-prs-will-run-with-read-only-permissions/ + # - https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ pull_request_target: types: [opened, edited] jobs: