Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ci: remove pull_request_target trigger #1133

Merged
merged 4 commits into from
Jul 22, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
50 changes: 25 additions & 25 deletions .github/labels.yml
Original file line number Diff line number Diff line change
Expand Up @@ -16,72 +16,72 @@
color: ededed
description: ""

- name: 'type: bug'
- name: "type: bug"
color: db4437
description: Error or flaw in code with unintended results or allowing sub-optimal
description:
Error or flaw in code with unintended results or allowing sub-optimal
usage patterns.
- name: 'type: cleanup'
- name: "type: cleanup"
color: c5def5
description: An internal cleanup or hygiene concern.
- name: 'type: docs'
- name: "type: docs"
color: 0000A0
description: Improvement to the documentation for an API.
- name: 'type: feature request'
- name: "type: feature request"
color: c5def5
description: ‘Nice-to-have’ improvement, new feature or different behavior or design.
- name: 'type: process'
- name: "type: process"
color: c5def5
description: A process-related concern. May include testing, release, or the like.
- name: 'type: question'
- name: "type: question"
color: c5def5
description: Request for information or clarification.

- name: 'priority: p0'
- name: "priority: p0"
color: b60205
description: Highest priority. Critical issue. P0 implies highest priority.
- name: 'priority: p1'
- name: "priority: p1"
color: ffa03e
description: Important issue which blocks shipping the next release. Will be fixed
description:
Important issue which blocks shipping the next release. Will be fixed
prior to next release.
- name: 'priority: p2'
- name: "priority: p2"
color: fef2c0
description: Moderately-important priority. Fix may not be included in next release.
- name: 'priority: p3'
- name: "priority: p3"
color: ffffc7
description: Desirable enhancement or fix. May not be included in next release.

- name: automerge
color: 00ff00
description: Merge the pull request once unit tests and other checks pass.
- name: 'automerge: exact'
- name: "automerge: exact"
color: 8dd517
description: Summon MOG for automerging, but approvals need to be against the latest
description:
Summon MOG for automerging, but approvals need to be against the latest
commit
- name: do not merge
color: d93f0b
description: Indicates a pull request not ready for merge, due to either quality
description:
Indicates a pull request not ready for merge, due to either quality
or timing.

- name: 'autorelease: pending'
- name: "autorelease: pending"
color: ededed
description: Release please needs to do its work on this.
- name: 'autorelease: triggered'
- name: "autorelease: triggered"
color: ededed
description: Release please has triggered a release for this.
- name: 'autorelease: tagged'
- name: "autorelease: tagged"
color: ededed
description: Release please has completed a release for this.

- name: 'tests: run'
color: 3DED97
description: Label to trigger Github Action tests.

- name: 'flakybot: flaky'
- name: "flakybot: flaky"
color: 86d9d7
description: Tells the Flaky Bot not to close or comment on this issue.
- name: 'flakybot: quiet'
- name: "flakybot: quiet"
color: 86d9d7
description: Tells the Flaky Bot to comment less.
- name: 'flakybot: issue'
- name: "flakybot: issue"
color: a9f9f7
description: An issue filed by the Flaky Bot. Should not be added manually.
19 changes: 0 additions & 19 deletions .github/trusted-contribution.yml

This file was deleted.

55 changes: 23 additions & 32 deletions .github/workflows/codeql.yml
Original file line number Diff line number Diff line change
Expand Up @@ -16,24 +16,18 @@ name: "CodeQL"

on:
push:
branches: [ "main" ]
branches: ["main"]
pull_request:
branches: [ "main" ]
branches: ["main"]
paths-ignore:
- '**/*.md'
- '**/*.txt'
pull_request_target:
types: [labeled]
paths-ignore:
- '**/*.md'
- '**/*.txt'
- "**/*.md"
- "**/*.txt"

# Declare default permissions as read only.
permissions: read-all

jobs:
analyze:
if: "${{ github.event.action != 'labeled' || github.event.label.name == 'tests: run' }}"
name: Analyze
runs-on: ubuntu-latest
permissions:
Expand All @@ -44,27 +38,24 @@ jobs:
strategy:
fail-fast: false
matrix:
language: [ 'python' ]
language: ["python"]

steps:
- name: Checkout repository
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
ref: ${{ github.event.pull_request.head.sha }}
repository: ${{ github.event.pull_request.head.repo.full_name }}

# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@2d790406f505036ef40ecba973cc774a50395aac # v3.25.13
with:
languages: ${{ matrix.language }}

# Autobuild attempts to build any compiled languages (C/C++, C#, Go, or Java).
# If this step fails, then you should remove it and run the build manually
- name: Autobuild
uses: github/codeql-action/autobuild@2d790406f505036ef40ecba973cc774a50395aac # v3.25.13

- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@2d790406f505036ef40ecba973cc774a50395aac # v3.25.13
with:
category: "/language:${{matrix.language}}"
- name: Checkout repository
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@2d790406f505036ef40ecba973cc774a50395aac # v3.25.13
with:
languages: ${{ matrix.language }}

# Autobuild attempts to build any compiled languages (C/C++, C#, Go, or Java).
# If this step fails, then you should remove it and run the build manually
- name: Autobuild
uses: github/codeql-action/autobuild@2d790406f505036ef40ecba973cc774a50395aac # v3.25.13

- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@2d790406f505036ef40ecba973cc774a50395aac # v3.25.13
with:
category: "/language:${{matrix.language}}"
23 changes: 0 additions & 23 deletions .github/workflows/coverage.yml
Original file line number Diff line number Diff line change
Expand Up @@ -15,37 +15,14 @@
name: Code Coverage
on:
pull_request:
pull_request_target:
types: [labeled]

# Declare default permissions as read only.
permissions: read-all

jobs:
coverage:
if: "${{ github.event.action != 'labeled' || github.event.label.name == 'tests: run' }}"
runs-on: ubuntu-latest
permissions:
issues: write
pull-requests: write
steps:
- name: Remove PR Label
if: "${{ github.event.action == 'labeled' && github.event.label.name == 'tests: run' }}"
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
script: |
try {
await github.rest.issues.removeLabel({
name: 'tests: run',
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: context.payload.pull_request.number
});
} catch (e) {
console.log('Failed to remove label. Another job may have already removed it!');
}

- name: Setup Python
uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1
with:
Expand Down
28 changes: 1 addition & 27 deletions .github/workflows/lint.yml
Original file line number Diff line number Diff line change
Expand Up @@ -15,51 +15,25 @@
name: Lint
on:
pull_request:
pull_request_target:
types: [labeled]

# Declare default permissions as read only.
permissions: read-all

jobs:
lint:
if: "${{ github.event.action != 'labeled' || github.event.label.name == 'tests: run' }}"
name: Run lint
runs-on: ubuntu-latest
permissions:
issues: write
pull-requests: write
steps:
- name: Remove PR Label
if: "${{ github.event.action == 'labeled' && github.event.label.name == 'tests: run' }}"
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
script: |
try {
await github.rest.issues.removeLabel({
name: 'tests: run',
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: context.payload.pull_request.number
});
} catch (e) {
console.log('Failed to remove label. Another job may have already removed it!');
}

- name: Setup Python
uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1
with:
python-version: "3.12"

- name: Install nox
run: pip install nox

- name: Checkout code
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
ref: ${{ github.event.pull_request.head.sha }}
repository: ${{ github.event.pull_request.head.repo.full_name }}

- name: Run nox lint session
run: nox --sessions lint
8 changes: 4 additions & 4 deletions .github/workflows/scorecard.yml
Original file line number Diff line number Diff line change
Expand Up @@ -18,9 +18,9 @@ on:
branch_protection_rule:
schedule:
# weekly on Sunday
- cron: '0 20 * * 0'
- cron: "0 20 * * 0"
push:
branches: [ "main" ]
branches: ["main"]

# Declare default permissions as read only.
permissions: read-all
Expand All @@ -44,7 +44,7 @@ jobs:
with:
results_file: results.sarif
results_format: sarif

- name: Filter SARIF to skip false positives
# filter out DangerousWorkflow alerts as they do not account for safe use of labels to trigger actions
env:
Expand All @@ -53,7 +53,7 @@ jobs:
SCORECARD_SKIPPED_RULE_IDS_JSON=$(echo $SCORECARD_SKIPPED_RULE_IDS | jq -cR 'split(",")')
# Trim the SARIF file to remove false positive detections
cat results.sarif | jq '.runs[].results |= map(select(.ruleId as $id | '$SCORECARD_SKIPPED_RULE_IDS_JSON' | all($id != .)))' > resultsFiltered.sarif

# Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
# format to the repository Actions tab.
- name: "Upload artifact"
Expand Down
Loading
Loading