Switch to pull_request_target
in labeler workflow
#4101
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This pull request switches the labeler workflow to use
pull_request_target
instead ofpull_request
as the event trigger.The difference is that
pull_request_target
defaults to runningcheckout
commands from the BASE branch, instead of the merge commit.The reason for this is so that outside contributors/forked repos can't open PRs that execute their own code.
To analyze changes, we now check out the codebase twice: once is the base branch (e.g., usually
master
) and runs the labeler script from there only. It runsgit diff
from themerge
checkout location, so the numbers are from there.This allows external PRs to have the labeler run and apply labels, but only by executing code from a branch already in the repo (i.e., created by those with write-access) rather than the incoming code.
Lastly, this means that changes to the labeler script will only take effect AFTER they have been merged, so to validate labeler updates in the future, a separate PR will need to be opened against the branch in question.
For validation of THIS PR:
We
cd
into themerge
checkout, and then execute the script from the../base
dirOutput: