fix: pass correct credentials to check-labels workflow (#1340)

fix: Change check-labels to be a separate workflow Due to github permissions, we don't have access to the BOT_WORKFLOW_TOKEN in pull_request events from forks. The recommended way by github docs is to use a pull_request_target event that runs in the context of the base branch. The recommendation is to not run any build or execute code in events like this coming from forks due to increased security risk.
eclipse-zenoh · Aug 29, 2024 · 6c1684c · 6c1684c
1 parent 357945b
commit 6c1684c
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 8 deletions.
diff --git a/.github/workflows/check-labels.yml b/.github/workflows/check-labels.yml
@@ -0,0 +1,14 @@
+name: Check required labels
+
+on:
+  pull_request_target:
+    branches: ["**"]
+
+jobs:
+  check-labels:
+    name: Check PR labels
+    uses: eclipse-zenoh/ci/.github/workflows/check-labels.yml@main
+    secrets:
+      github-token: ${{ secrets.GITHUB_TOKEN }}
+    permissions:
+      pull-requests: write
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -27,12 +27,6 @@ env:
   RUSTUP_WINDOWS_PATH_ADD_BIN: 1
 
 jobs:
-  check-labels:
-    name: Check PR labels
-    if: ${{ github.event_name == 'pull_request'}}
-    uses: eclipse-zenoh/ci/.github/workflows/check-labels.yml@main
-    secrets: inherit
-
   check:
     name: Lints and doc tests on ${{ matrix.os }}
     runs-on: ${{ matrix.os }}
@@ -157,8 +151,8 @@ jobs:
   ci:
     name: CI status checks
     runs-on: ubuntu-latest
-    needs: [check-labels, check, test, valgrind, typos]
+    needs: [check, test, valgrind, typos]
     if: always()
     steps:
       - name: Check whether all jobs pass
-        run: echo '${{ toJson(needs) }}' | jq -e 'all(.result == "success")'
+        run: echo '${{ toJson(needs) }}' | jq -e 'all(.result == "success")'