workflows: Split new-prs into two workflows

tstellar · tstellar · commit 91fdb2091569 · 2023-09-08T22:09:33.000-07:00
We cannot use the default github token for labeling PRs, because this
will not trigger the PR Subscriber job.  However, we weren't allowed to
use a different token via a secret, because secrets aren't allowed
in PR workflows.

The solution is to create two workflows, the first accepts the
pull_request_taget event extracts the PR number and then starts
the second workflow which adds the labels to the PRs.

This separation ensures that nothing malicious in the first workflow is
able to access the secret we use in the second workflow.
diff --git a/.github/workflows/new-prs.yml b/.github/workflows/new-prs.yml
@@ -1,17 +1,56 @@
 name: "Labelling new pull requests"
 on:
-- pull_request_target
+  workflow_run:
+    workflows: ["PR Receive"]
 
 jobs:
   automate-prs-labels:
     permissions:
       contents: read
       pull-requests: write
     runs-on: ubuntu-latest
-    if: github.repository == 'llvm/llvm-project'
+    if: >
+      github.repository == 'llvm/llvm-project' &&
+      github.event.workflow_run.event == 'pull_request_target' &&
+      github.event.workflow_run.conclusion == 'success'
     steps:
-    - uses: actions/labeler@v4
-      with:
-        configuration-path: .github/new-prs-labeler.yml
-        # workaround for https://github.com/actions/labeler/issues/112
-        sync-labels: ''
+      # From: https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
+      # Updated version here: https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#using-data-from-the-triggering-workflow
+      - name: Debug
+        run: |
+          echo "Event: ${{ github.event.workflow_run.event }} Conclusion: ${{ github.event.workflow_run.conclusion }}"
+      - name: 'Download artifact'
+        uses: actions/github-script@v6
+        with:
+          script: |
+            var artifacts = await github.rest.actions.listWorkflowRunArtifacts({
+               owner: context.repo.owner,
+               repo: context.repo.repo,
+               run_id: context.payload.workflow_run.id,
+            });
+            var matchArtifact = artifacts.data.artifacts.filter((artifact) => {
+              return artifact.name == "pr"
+            })[0];
+            var download = await github.rest.actions.downloadArtifact({
+               owner: context.repo.owner,
+               repo: context.repo.repo,
+               artifact_id: matchArtifact.id,
+               archive_format: 'zip',
+            });
+            var fs = require('fs');
+            fs.writeFileSync('${{github.workspace}}/pr.zip', Buffer.from(download.data));
+
+      - run: unzip pr.zip
+
+      - name: "Get PR Number"
+        id: vars
+        run:
+          echo "pr-number=`cat NR`" >> $GITHUB_OUTPUT
+
+      - uses: actions/labeler@v4
+        with:
+          configuration-path: .github/new-prs-labeler.yml
+          # workaround for https://github.com/actions/labeler/issues/112
+          sync-labels: ''
+          repo-token: ${{ secrets.ISSUE_SUBSCRIBER_TOKEN }}
+          pr-number: ${{steps.vars.outputs.pr-number}}
diff --git a/.github/workflows/pr-receive.yml b/.github/workflows/pr-receive.yml
@@ -0,0 +1,23 @@
+# See https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
+
+name: PR Receive
+on:
+  pull_request_target:
+
+permissions:
+  contents: read
+
+jobs:
+  pr-target:
+    runs-on: ubuntu-latest
+    if: github.repository == 'llvm/llvm-project'
+    steps:
+      - name: Store PR Information
+        run: |
+          mkdir -p ./pr
+          echo ${{ github.event.number }} > ./pr/NR
+
+      - uses: actions/upload-artifact@v3
+        with:
+          name: pr
+          path: pr/
