Skip to content

ci(l1): fix unnecesary approval and other minor fixes. #5021

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

ci(l1): fix unnecesary approval and other minor fixes. #5021

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
d8e6e5a
ci(l1): fix unnecesary approval and other minor fixes.
mpaulucci Oct 23, 2025
0e7f317
Remove concurrency.
mpaulucci Oct 23, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 1 addition & 2 deletions .github/workflows/pr_github_metadata.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
name: PR Github Metadata

on:
pull_request:
pull_request_target:
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you add a comment explaining why we use this instead of pull_request?

types: [opened, edited, reopened]

permissions:
Expand Down Expand Up @@ -32,7 +32,6 @@ jobs:

label-pr:
name: Set Labels
Copy link

Copilot AI Oct 23, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Removing the fork check (if: github.event.pull_request.head.repo.fork == false) while using pull_request_target is dangerous. This allows forked PRs to execute workflows with access to repository secrets and write permissions, creating a potential security vulnerability where malicious code from forks could access sensitive resources.

Suggested change
name: Set Labels
name: Set Labels
if: github.event.pull_request.head.repo.fork == false

Copilot uses AI. Check for mistakes.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does Copilot have a point here?

if: github.event.pull_request.head.repo.fork == false
runs-on: ubuntu-latest
steps:
- name: Checkout repository
Expand Down
5 changes: 4 additions & 1 deletion .github/workflows/pr_github_status_l1.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,8 @@ on:
edited,
ready_for_review,
converted_to_draft,
labeled,
unlabeled,
]
pull_request_review:
types: [submitted]
Expand All @@ -18,7 +20,8 @@ jobs:
update-project-status:
name: Update PR status for ethrex_l1 project
runs-on: ubuntu-latest
# sadly pull_request_review doesn't have direct access to labels information so we'll have to check this later.
# Skip forked PRs: they can't access the GitHub App secrets this job relies on.
# pull_request_review lacks label data, so the script double-checks before proceeding.
if: github.event.pull_request.head.repo.fork == false && (github.event_name == 'pull_request_review' || contains(github.event.pull_request.labels.*.name, 'L1'))
permissions:
contents: read
Expand Down
Loading