From 31d2417dde4b28c0e5875e5ff49923814dbb5c09 Mon Sep 17 00:00:00 2001 From: Frank Elsinga Date: Wed, 14 Jan 2026 14:21:05 +0100 Subject: [PATCH] chore: fix permissions for the draft labeling automation (#6732) Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- .../mark-as-draft-on-requesting-changes.yml | 56 ++++++++++--------- 1 file changed, 31 insertions(+), 25 deletions(-) diff --git a/.github/workflows/mark-as-draft-on-requesting-changes.yml b/.github/workflows/mark-as-draft-on-requesting-changes.yml index fea29ab86..99e8384e4 100644 --- a/.github/workflows/mark-as-draft-on-requesting-changes.yml +++ b/.github/workflows/mark-as-draft-on-requesting-changes.yml @@ -1,56 +1,62 @@ name: Mark PR as draft when changes are requested -on: - pull_request_review: - types: [submitted] - - pull_request: - types: [labeled] +# pull_request_target is safe here because: +# 1. Does not use any external actions; only uses the GitHub CLI via run commands +# 2. Has minimal permissions +# 3. Doesn't checkout or execute any untrusted code from PRs +# 4. Only adds/removes labels or changes the draft status +on: # zizmor: ignore[dangerous-triggers] + pull_request_target: + types: + - review_submitted + - labeled + - ready_for_review permissions: {} jobs: mark-draft: runs-on: ubuntu-latest + permissions: + pull-requests: write if: | ( - github.event_name == 'pull_request_review' && + github.event.action == 'review_submitted' && github.event.review.state == 'changes_requested' ) || ( - github.event_name == 'pull_request' && + github.event.action == 'labeled' && github.event.label.name == 'pr:please address review comments' ) steps: - name: Add label on requested changes - if: github.event_name == 'pull_request_review' + if: github.event.review.state == 'changes_requested' env: - GH_TOKEN: ${{ secrets.MARK_AS_DRAFT_TOKEN }} - PR_NUMBER: ${{ github.event.pull_request.number }} - REPO: ${{ github.repository }} + GH_TOKEN: ${{ github.token }} run: | - gh issue edit "$PR_NUMBER" \ - --repo "$REPO" \ + gh issue edit "${{ github.event.pull_request.number }}" \ + --repo "${{ github.repository }}" \ --add-label "pr:please address review comments" - name: Mark PR as draft env: - GH_TOKEN: ${{ secrets.MARK_AS_DRAFT_TOKEN }} - PR_URL: ${{ github.event.pull_request.html_url }} - run: gh pr ready "$PR_URL" --undo || true + GH_TOKEN: ${{ github.token }} + run: | + gh pr ready "${{ github.event.pull_request.number }}" --undo || true + ready-for-review: runs-on: ubuntu-latest - if: github.event_name == 'pull_request' && github.event.action == 'ready_for_review' + permissions: + pull-requests: write + if: github.event.action == 'ready_for_review' steps: - name: Update labels for review env: - GH_TOKEN: ${{ secrets.MARK_AS_DRAFT_TOKEN }} - PR_NUMBER: ${{ github.event.pull_request.number }} - REPO: ${{ github.repository }} + GH_TOKEN: ${{ github.token }} run: | - gh issue edit "$PR_NUMBER" \ - --repo "$REPO" \ + gh issue edit "${{ github.event.pull_request.number }}" \ + --repo "${{ github.repository }}" \ --remove-label "pr:please address review comments" || true - gh issue edit "$PR_NUMBER" \ - --repo "$REPO" \ + gh issue edit "${{ github.event.pull_request.number }}" \ + --repo "${{ github.repository }}" \ --add-label "pr:needs review"