From 2ee3470627deae0ad11adf8c76bb6b8a1cd3619c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aur=C3=A9lien=20Bombo?= Date: Mon, 9 Jun 2025 12:24:31 -0500 Subject: [PATCH] ci: gha: Remove ok-to-test label on every push MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This removes the ok-to-test label on every push, except if the PR author has write access to the repo (ie. permission to modify labels). This protects against attackers who would initially open a genuine PR, then push malicious code after the initial review. Signed-off-by: Aurélien Bombo --- .github/workflows/validate-ok-to-test.yml | 30 +++++++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 .github/workflows/validate-ok-to-test.yml diff --git a/.github/workflows/validate-ok-to-test.yml b/.github/workflows/validate-ok-to-test.yml new file mode 100644 index 000000000..33bfaeea6 --- /dev/null +++ b/.github/workflows/validate-ok-to-test.yml @@ -0,0 +1,30 @@ +name: Validate ok-to-test label + +on: + pull_request_target: + types: [synchronize] + +jobs: + remove-label-if-needed: + runs-on: ubuntu-22.04 + permissions: + # SAFETY: Only enough to modify labels. + issues: write + steps: + - name: Remove ok-to-test label on push + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + PR_NUMBER: ${{ github.event.pull_request.number }} + AUTHOR: ${{ github.event.pull_request.user.login }} + OWNER: ${{ github.repository.owner.login }} + REPO: ${{ github.event.repository.name }} + run: | + permission="$(gh api "repos/${OWNER}/${REPO}/collaborators/${AUTHOR}/permission" --jq '.permission')" + echo "User ${AUTHOR} has permission '${permission}'" + + if [[ "${permission}" != "write" && "${permission}" != "admin" ]]; then + echo "Removing 'ok-to-test' label" + gh pr edit "${PR_NUMBER}" --repo "${OWNER}/${REPO}" --remove-label "ok-to-test" + else + echo "User has label permission - skipping removal" + fi