ci(l1): fix unnecesary approval and other minor fixes. #5021
Conversation
There was a problem hiding this comment.
Pull Request Overview
This PR enhances GitHub workflow configuration to eliminate unnecessary approval prompts for forked PRs and improve workflow responsiveness to label changes.
Key Changes:
- Switches
pr_github_metadata.yamlfrompull_requesttopull_request_targettrigger to run workflows in the base repository context - Adds
labeledandunlabeledevent types topr_github_status_l1.yamlto respond to label changes - Introduces concurrency control to prevent multiple simultaneous workflow runs for the same PR
Reviewed Changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
.github/workflows/pr_github_status_l1.yaml |
Adds label event triggers, concurrency control, and improves comment clarity |
.github/workflows/pr_github_metadata.yaml |
Changes trigger to pull_request_target and removes fork check from label job |
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
| }); | ||
| label-pr: | ||
| name: Set Labels |
There was a problem hiding this comment.
Removing the fork check (if: github.event.pull_request.head.repo.fork == false) while using pull_request_target is dangerous. This allows forked PRs to execute workflows with access to repository secrets and write permissions, creating a potential security vulnerability where malicious code from forks could access sensitive resources.
| name: Set Labels | |
| name: Set Labels | |
| if: github.event.pull_request.head.repo.fork == false |
There was a problem hiding this comment.
Does Copilot have a point here?
|
|
||
| on: | ||
| pull_request: | ||
| pull_request_target: |
There was a problem hiding this comment.
Can you add a comment explaining why we use this instead of pull_request?
Motivation
Don't get those annoying "approve workflow" messages
Description
pull_request_targetso that the workflow runs in the base repo