From 7978f667dc386d933ee3a344474ec4b1043d112b Mon Sep 17 00:00:00 2001
From: Diogo Mendes Matsubara <diogo.matsubara@zettascale.tech>
Date: Thu, 29 Aug 2024 15:21:14 +0200
Subject: [PATCH] fix: Change check-labels to be a separate workflow

Due to github permissions, we don't have access to the
BOT_WORKFLOW_TOKEN in pull_request events from forks. The recommended
way by github docs is to use a pull_request_target event that runs in
the context of the base branch. The recommendation is to not run any
build or execute code in events like this coming from forks due to
increased security risk.
---
 .github/workflows/check-labels.yml | 14 ++++++++++++++
 .github/workflows/ci.yml           | 18 ++----------------
 2 files changed, 16 insertions(+), 16 deletions(-)
 create mode 100644 .github/workflows/check-labels.yml

diff --git a/.github/workflows/check-labels.yml b/.github/workflows/check-labels.yml
new file mode 100644
index 0000000000..a6b0282640
--- /dev/null
+++ b/.github/workflows/check-labels.yml
@@ -0,0 +1,14 @@
+name: Check required labels
+
+on:
+  pull_request_target:
+    branches: ["**"]
+
+jobs:
+  check-labels:
+    name: Check PR labels
+    uses: eclipse-zenoh/ci/.github/workflows/check-labels.yml@main
+    secrets:
+      github-token: ${{ secrets.GITHUB_TOKEN }}
+    permissions:
+      pull-requests: write
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 0129deaca7..634d3ec500 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -27,15 +27,6 @@ env:
   RUSTUP_WINDOWS_PATH_ADD_BIN: 1
 
 jobs:
-  check-labels:
-    name: Check PR labels
-    if: ${{ github.event_name == 'pull_request'}}
-    uses: eclipse-zenoh/ci/.github/workflows/check-labels.yml@main
-    secrets:
-      github-token: ${{ secrets.GITHUB_TOKEN }}
-    permissions:
-      pull-requests: write
-
   check:
     name: Lints and doc tests on ${{ matrix.os }}
     runs-on: ${{ matrix.os }}
@@ -160,13 +151,8 @@ jobs:
   ci:
     name: CI status checks
     runs-on: ubuntu-latest
-    needs: [check-labels, check, test, valgrind, typos]
+    needs: [check, test, valgrind, typos]
     if: always()
     steps:
       - name: Check whether all jobs pass
-        run: |
-          if [${{ github.event_name == 'pull_request' }}]; then
-            echo '${{ toJson(needs) }}' | jq -e 'all(.result == "success")'
-          else
-            echo '${{ toJson(needs) }}' | jq -e 'del(."check-labels")' | jq -e 'all(.result == "success")'
-          fi
+        run: echo '${{ toJson(needs) }}' | jq -e 'all(.result == "success")'
\ No newline at end of file