Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[GA] Add Set api label action #2900

Merged
merged 1 commit into from
Aug 22, 2024
Merged

[GA] Add Set api label action #2900

merged 1 commit into from
Aug 22, 2024

Conversation

AlexanderDokuchaev
Copy link
Collaborator

Changes

Add "Set api label" action
Workflow to update API label:

  1. api_changes_check.yml runs (build docs, compare with develop) and saves artifacts with status of check 'add, remove or none` (for external contributor only after approval)
  2. After finished job will be triggered api_set_label.yml with write permission to update label from api_changes_check.yml, that downloads artifact and updates API label in pull request

Reason for changes

To follow Good practices for mitigating script injection attacks pull_request_target is not allow to use for api_changes_check.yml.
But pull_request provide only read permission in result not possible to add label to PR.

@AlexanderDokuchaev AlexanderDokuchaev requested a review from a team as a code owner August 21, 2024 22:56
@KodiaqQ KodiaqQ merged commit 6e05cf9 into openvinotoolkit:develop Aug 22, 2024
13 checks passed
AlexanderDokuchaev added a commit to AlexanderDokuchaev/nncf that referenced this pull request Aug 23, 2024
@AlexanderDokuchaev
[GA] Add Set api label action (openvinotoolkit#2900)
693558e 
### Changes

Add "Set api label" action
Workflow to update API label:
1) `api_changes_check.yml` runs (build docs, compare with develop) and
saves artifacts with status of check 'add, remove or none` (for external
contributor only after approval)
2) After finished job will be triggered `api_set_label.yml` with write
permission to update label from `api_changes_check.yml`, that downloads
artifact and updates API label in pull request

### Reason for changes

To follow [Good practices for mitigating script injection
attacks](https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#good-practices-for-mitigating-script-injection-attacks)
pull_request_target is not allow to use for api_changes_check.yml.
But pull_request provide only read permission in result not possible to
add label to PR.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@KodiaqQ KodiaqQ KodiaqQ approved these changes

Assignees

@KodiaqQ KodiaqQ

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@AlexanderDokuchaev @KodiaqQ