Skip to content

Commit

Permalink
ci: remove pull_request_target trigger
Browse files Browse the repository at this point in the history
  • Loading branch information
jackwotherspoon committed Jul 22, 2024
1 parent 821f64f commit 25b5a05
Show file tree
Hide file tree
Showing 6 changed files with 98 additions and 201 deletions.
50 changes: 25 additions & 25 deletions .github/labels.yml
Original file line number Diff line number Diff line change
Expand Up @@ -16,72 +16,72 @@
color: ededed
description: ""

- name: 'type: bug'
- name: "type: bug"
color: db4437
description: Error or flaw in code with unintended results or allowing sub-optimal
description:
Error or flaw in code with unintended results or allowing sub-optimal
usage patterns.
- name: 'type: cleanup'
- name: "type: cleanup"
color: c5def5
description: An internal cleanup or hygiene concern.
- name: 'type: docs'
- name: "type: docs"
color: 0000A0
description: Improvement to the documentation for an API.
- name: 'type: feature request'
- name: "type: feature request"
color: c5def5
description: ‘Nice-to-have’ improvement, new feature or different behavior or design.
- name: 'type: process'
- name: "type: process"
color: c5def5
description: A process-related concern. May include testing, release, or the like.
- name: 'type: question'
- name: "type: question"
color: c5def5
description: Request for information or clarification.

- name: 'priority: p0'
- name: "priority: p0"
color: b60205
description: Highest priority. Critical issue. P0 implies highest priority.
- name: 'priority: p1'
- name: "priority: p1"
color: ffa03e
description: Important issue which blocks shipping the next release. Will be fixed
description:
Important issue which blocks shipping the next release. Will be fixed
prior to next release.
- name: 'priority: p2'
- name: "priority: p2"
color: fef2c0
description: Moderately-important priority. Fix may not be included in next release.
- name: 'priority: p3'
- name: "priority: p3"
color: ffffc7
description: Desirable enhancement or fix. May not be included in next release.

- name: automerge
color: 00ff00
description: Merge the pull request once unit tests and other checks pass.
- name: 'automerge: exact'
- name: "automerge: exact"
color: 8dd517
description: Summon MOG for automerging, but approvals need to be against the latest
description:
Summon MOG for automerging, but approvals need to be against the latest
commit
- name: do not merge
color: d93f0b
description: Indicates a pull request not ready for merge, due to either quality
description:
Indicates a pull request not ready for merge, due to either quality
or timing.

- name: 'autorelease: pending'
- name: "autorelease: pending"
color: ededed
description: Release please needs to do its work on this.
- name: 'autorelease: triggered'
- name: "autorelease: triggered"
color: ededed
description: Release please has triggered a release for this.
- name: 'autorelease: tagged'
- name: "autorelease: tagged"
color: ededed
description: Release please has completed a release for this.

- name: 'tests: run'
color: 3DED97
description: Label to trigger Github Action tests.

- name: 'flakybot: flaky'
- name: "flakybot: flaky"
color: 86d9d7
description: Tells the Flaky Bot not to close or comment on this issue.
- name: 'flakybot: quiet'
- name: "flakybot: quiet"
color: 86d9d7
description: Tells the Flaky Bot to comment less.
- name: 'flakybot: issue'
- name: "flakybot: issue"
color: a9f9f7
description: An issue filed by the Flaky Bot. Should not be added manually.
55 changes: 23 additions & 32 deletions .github/workflows/codeql.yml
Original file line number Diff line number Diff line change
Expand Up @@ -16,24 +16,18 @@ name: "CodeQL"

on:
push:
branches: [ "main" ]
branches: ["main"]
pull_request:
branches: [ "main" ]
branches: ["main"]
paths-ignore:
- '**/*.md'
- '**/*.txt'
pull_request_target:
types: [labeled]
paths-ignore:
- '**/*.md'
- '**/*.txt'
- "**/*.md"
- "**/*.txt"

# Declare default permissions as read only.
permissions: read-all

jobs:
analyze:
if: "${{ github.event.action != 'labeled' || github.event.label.name == 'tests: run' }}"
name: Analyze
runs-on: ubuntu-latest
permissions:
Expand All @@ -44,27 +38,24 @@ jobs:
strategy:
fail-fast: false
matrix:
language: [ 'python' ]
language: ["python"]

steps:
- name: Checkout repository
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
ref: ${{ github.event.pull_request.head.sha }}
repository: ${{ github.event.pull_request.head.repo.full_name }}

# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@2d790406f505036ef40ecba973cc774a50395aac # v3.25.13
with:
languages: ${{ matrix.language }}

# Autobuild attempts to build any compiled languages (C/C++, C#, Go, or Java).
# If this step fails, then you should remove it and run the build manually
- name: Autobuild
uses: github/codeql-action/autobuild@2d790406f505036ef40ecba973cc774a50395aac # v3.25.13

- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@2d790406f505036ef40ecba973cc774a50395aac # v3.25.13
with:
category: "/language:${{matrix.language}}"
- name: Checkout repository
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@2d790406f505036ef40ecba973cc774a50395aac # v3.25.13
with:
languages: ${{ matrix.language }}

# Autobuild attempts to build any compiled languages (C/C++, C#, Go, or Java).
# If this step fails, then you should remove it and run the build manually
- name: Autobuild
uses: github/codeql-action/autobuild@2d790406f505036ef40ecba973cc774a50395aac # v3.25.13

- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@2d790406f505036ef40ecba973cc774a50395aac # v3.25.13
with:
category: "/language:${{matrix.language}}"
23 changes: 0 additions & 23 deletions .github/workflows/coverage.yml
Original file line number Diff line number Diff line change
Expand Up @@ -15,37 +15,14 @@
name: Code Coverage
on:
pull_request:
pull_request_target:
types: [labeled]

# Declare default permissions as read only.
permissions: read-all

jobs:
coverage:
if: "${{ github.event.action != 'labeled' || github.event.label.name == 'tests: run' }}"
runs-on: ubuntu-latest
permissions:
issues: write
pull-requests: write
steps:
- name: Remove PR Label
if: "${{ github.event.action == 'labeled' && github.event.label.name == 'tests: run' }}"
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
script: |
try {
await github.rest.issues.removeLabel({
name: 'tests: run',
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: context.payload.pull_request.number
});
} catch (e) {
console.log('Failed to remove label. Another job may have already removed it!');
}
- name: Setup Python
uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1
with:
Expand Down
28 changes: 1 addition & 27 deletions .github/workflows/lint.yml
Original file line number Diff line number Diff line change
Expand Up @@ -15,51 +15,25 @@
name: Lint
on:
pull_request:
pull_request_target:
types: [labeled]

# Declare default permissions as read only.
permissions: read-all

jobs:
lint:
if: "${{ github.event.action != 'labeled' || github.event.label.name == 'tests: run' }}"
name: Run lint
runs-on: ubuntu-latest
permissions:
issues: write
pull-requests: write
steps:
- name: Remove PR Label
if: "${{ github.event.action == 'labeled' && github.event.label.name == 'tests: run' }}"
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
script: |
try {
await github.rest.issues.removeLabel({
name: 'tests: run',
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: context.payload.pull_request.number
});
} catch (e) {
console.log('Failed to remove label. Another job may have already removed it!');
}
- name: Setup Python
uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1
with:
python-version: "3.12"

- name: Install nox
run: pip install nox

- name: Checkout code
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
ref: ${{ github.event.pull_request.head.sha }}
repository: ${{ github.event.pull_request.head.repo.full_name }}

- name: Run nox lint session
run: nox --sessions lint
8 changes: 4 additions & 4 deletions .github/workflows/scorecard.yml
Original file line number Diff line number Diff line change
Expand Up @@ -18,9 +18,9 @@ on:
branch_protection_rule:
schedule:
# weekly on Sunday
- cron: '0 20 * * 0'
- cron: "0 20 * * 0"
push:
branches: [ "main" ]
branches: ["main"]

# Declare default permissions as read only.
permissions: read-all
Expand All @@ -44,7 +44,7 @@ jobs:
with:
results_file: results.sarif
results_format: sarif

- name: Filter SARIF to skip false positives
# filter out DangerousWorkflow alerts as they do not account for safe use of labels to trigger actions
env:
Expand All @@ -53,7 +53,7 @@ jobs:
SCORECARD_SKIPPED_RULE_IDS_JSON=$(echo $SCORECARD_SKIPPED_RULE_IDS | jq -cR 'split(",")')
# Trim the SARIF file to remove false positive detections
cat results.sarif | jq '.runs[].results |= map(select(.ruleId as $id | '$SCORECARD_SKIPPED_RULE_IDS_JSON' | all($id != .)))' > resultsFiltered.sarif
# Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
# format to the repository Actions tab.
- name: "Upload artifact"
Expand Down
Loading

0 comments on commit 25b5a05

Please sign in to comment.