[v15] switch trusted/remote cluster management to atomic write #33873
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# This workflow is run whenever a pull request is opened, re-opened, or taken | |
# out of draft (ready for review). | |
# | |
# NOTE: pull_request_target behaves the same as pull_request except it grants a | |
# read/write token to workflows running on a pull request from a fork. While | |
# this may seem unsafe, the permissions for the token are limited below and | |
# the permissions can not be changed without merging to master which is | |
# protected by CODEOWNERS. | |
name: Label | |
on: | |
pull_request_target: | |
types: [opened, ready_for_review] | |
# Limit the permissions on the GitHub token for this workflow to the subset | |
# that is required. In this case, the label workflow only needs to be able | |
# to update labels on the PR, so it needs write access to "pull-requests", | |
# nothing else. | |
permissions: | |
pull-requests: write | |
actions: none | |
checks: none | |
contents: none | |
deployments: none | |
issues: none | |
packages: none | |
repository-projects: none | |
security-events: none | |
statuses: none | |
jobs: | |
auto-label-pr: | |
name: Label Pull Request | |
if: ${{ !github.event.pull_request.draft && !startsWith(github.head_ref, 'dependabot/') }} | |
runs-on: ubuntu-latest | |
steps: | |
# Checkout main branch of shared-workflow repository. | |
- name: Checkout shared-workflow | |
uses: actions/checkout@v4 | |
with: | |
repository: gravitational/shared-workflows | |
path: .github/shared-workflows | |
ref: main | |
- name: Installing Go | |
uses: actions/setup-go@v5 | |
with: | |
go-version: 'stable' | |
# Run "check" subcommand on bot. | |
- name: Labeling PR | |
run: cd .github/shared-workflows/bot && go run main.go -workflow=label -token="${{ secrets.GITHUB_TOKEN }}" -reviewers="${{ secrets.reviewers }}" |