Commit cbe5cb3
authored
ci: Harden labeler workflow, remove unnecessary checkout from pull_request_target job (#20637)
## Which issue does this PR close?
<!--
We generally require a GitHub issue to be filed for all bug fixes and
enhancements and this helps us generate change logs for our releases.
You can link an issue to this PR using the GitHub syntax. For example
`Closes #123` indicates that this PR will close issue #123.
-->
- Closes #.
## Rationale for this change
This PR removes the checkout step from the labeler workflow and keeps
labeling behavior unchanged.
<!--
Why are you proposing this change? If this is already explained clearly
in the issue then this section is not needed.
Explaining clearly why changes are proposed helps reviewers understand
your changes and offer better suggestions for fixes.
-->
## What changes are included in this PR?
<!--
There is no need to duplicate the description in the issue here but it
is sometimes worth providing a summary of the individual changes in this
PR.
-->
The workflow runs on `pull_request_target`, which has elevated repo
context. `actions/labeler` does not require a local checkout to work
with `configuration-path`; if the file is not on disk, it fetches it via
the GitHub API.
Removing checkout reduces attack surface and avoids exposing persisted
git credentials to subsequent steps.
## Are these changes tested?
Yes, tested on my forked.
I force pushed this change to my fork's `main` branch, then open a [test
PR](kevinjqliu#2) against it. The
[labeler github action ran successfully on my
fork](https://github.com/kevinjqliu/datafusion/actions/runs/22553132113/job/65326120264)
and labeled the PR
<!--
We typically require tests for all PRs in order to:
1. Prevent the code from being accidentally broken by subsequent changes
2. Serve as another way to document the expected behavior of the code
If tests are not included in your PR, please explain why (for example,
are they covered by existing tests)?
-->
## Are there any user-facing changes?
<!--
If there are user-facing changes then we may require documentation to be
updated before approving the PR.
-->
<!--
If there are any breaking changes to public APIs, please add the `api
change` label.
-->
No1 parent 5d27860 commit cbe5cb3
1 file changed
Lines changed: 0 additions & 2 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
39 | 39 | | |
40 | 40 | | |
41 | 41 | | |
42 | | - | |
43 | | - | |
44 | 42 | | |
45 | 43 | | |
46 | 44 | | |
| |||
0 commit comments