mirror of
https://github.com/mermaid-js/mermaid.git
synced 2025-01-28 07:03:17 +08:00
dc22189eef
Using `pull_request_target` is pretty dangerous, since it heavily increases the risk of malicious PRs getting access to the mermaid-js repo. What we're doing currently is safe, but we should add a warning message just to ensure that we're very careful when we make changes. See: https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target See: https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
28 lines
1.0 KiB
YAML
28 lines
1.0 KiB
YAML
name: Apply labels to PR
|
|
on:
|
|
pull_request_target:
|
|
# required for pr-labeler to support PRs from forks
|
|
# ===================== ⛔ ☢️ 🚫 ⚠️ Warning ⚠️ 🚫 ☢️ ⛔ =======================
|
|
# Be very careful what you put in this GitHub Action workflow file to avoid
|
|
# malicious PRs from getting access to the Mermaid-js repo.
|
|
#
|
|
# Please read the following first before reviewing/merging:
|
|
# - https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target
|
|
# - https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
|
|
types: [opened]
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
jobs:
|
|
pr-labeler:
|
|
runs-on: ubuntu-latest
|
|
permissions:
|
|
contents: read # read permission is required to read config file
|
|
pull-requests: write # write permission is required to label PRs
|
|
steps:
|
|
- name: Label PR
|
|
uses: TimonVS/pr-labeler-action@v4
|
|
env:
|
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|