Skip to content

Label PR based on title #10696

Label PR based on title

Label PR based on title #10696

name: Label PR based on title
# PROCESS
#
# 1. Fetch PR details previously saved from untrusted location
# 2. Parse details for safety
# 3. Label PR based on semantic title (e.g., area, change type)
# USAGE
#
# NOTE: meant to be used with ./.github/workflows/record_pr.yml
#
# Security Note:
#
# This workflow depends on "Record PR" workflow that runs in an untrusted location (forks) instead of `pull_request_target`.
# This enforces zero trust where "Record PR" workflow always runs on fork with zero permissions on GH_TOKEN.
# When "Record PR" completes, this workflow runs in our repository with the appropriate permissions and sanitize inputs.
#
# Coupled with "Approve GitHub Action to run on forks", we have confidence no privilege can be escalated,
# since any malicious change would need to be approved, and upon social engineering, it'll have zero permissions.
on:
workflow_run:
workflows: ["Record PR details"]
types:
- completed
permissions:
contents: read
jobs:
get_pr_details:
permissions:
actions: read # download PR artifact
contents: read # checkout code
# Guardrails to only ever run if PR recording workflow was indeed
# run in a PR event and ran successfully
if: ${{ github.event.workflow_run.conclusion == 'success' }}
uses: ./.github/workflows/reusable_export_pr_details.yml
with:
record_pr_workflow_id: ${{ github.event.workflow_run.id }}
workflow_origin: ${{ github.event.repository.full_name }}
secrets:
token: ${{ secrets.GITHUB_TOKEN }}
label_pr:
needs: get_pr_details
runs-on: ubuntu-latest
permissions:
pull-requests: write # label respective PR
steps:
- name: Checkout repository
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: "Label PR based on title"
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
env:
PR_NUMBER: ${{ needs.get_pr_details.outputs.prNumber }}
PR_TITLE: ${{ needs.get_pr_details.outputs.prTitle }}
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
# This safely runs in our base repo, not on fork
# thus allowing us to provide a write access token to label based on PR title
# and label PR based on semantic title accordingly
script: |
const script = require('.github/scripts/label_pr_based_on_title.js')
await script({github, context, core})