From 6c1684c46c97f18a80964afee9e489acebb06f8c Mon Sep 17 00:00:00 2001
From: Diogo Matsubara <diogo.matsubara@zettascale.tech>
Date: Thu, 29 Aug 2024 15:43:49 +0200
Subject: [PATCH] fix: pass correct credentials to check-labels workflow
 (#1340)

fix: Change check-labels to be a separate workflow

Due to github permissions, we don't have access to the
BOT_WORKFLOW_TOKEN in pull_request events from forks. The recommended
way by github docs is to use a pull_request_target event that runs in
the context of the base branch. The recommendation is to not run any
build or execute code in events like this coming from forks due to
increased security risk.
---
 .github/workflows/check-labels.yml | 14 ++++++++++++++
 .github/workflows/ci.yml           | 10 ++--------
 2 files changed, 16 insertions(+), 8 deletions(-)
 create mode 100644 .github/workflows/check-labels.yml

diff --git a/.github/workflows/check-labels.yml b/.github/workflows/check-labels.yml
new file mode 100644
index 0000000000..a6b0282640
--- /dev/null
+++ b/.github/workflows/check-labels.yml
@@ -0,0 +1,14 @@
+name: Check required labels
+
+on:
+  pull_request_target:
+    branches: ["**"]
+
+jobs:
+  check-labels:
+    name: Check PR labels
+    uses: eclipse-zenoh/ci/.github/workflows/check-labels.yml@main
+    secrets:
+      github-token: ${{ secrets.GITHUB_TOKEN }}
+    permissions:
+      pull-requests: write
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index b2a6f98599..634d3ec500 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -27,12 +27,6 @@ env:
   RUSTUP_WINDOWS_PATH_ADD_BIN: 1
 
 jobs:
-  check-labels:
-    name: Check PR labels
-    if: ${{ github.event_name == 'pull_request'}}
-    uses: eclipse-zenoh/ci/.github/workflows/check-labels.yml@main
-    secrets: inherit
-
   check:
     name: Lints and doc tests on ${{ matrix.os }}
     runs-on: ${{ matrix.os }}
@@ -157,8 +151,8 @@ jobs:
   ci:
     name: CI status checks
     runs-on: ubuntu-latest
-    needs: [check-labels, check, test, valgrind, typos]
+    needs: [check, test, valgrind, typos]
     if: always()
     steps:
       - name: Check whether all jobs pass
-        run: echo '${{ toJson(needs) }}' | jq -e 'all(.result == "success")'
+        run: echo '${{ toJson(needs) }}' | jq -e 'all(.result == "success")'
\ No newline at end of file