fix(ci): use pull_request_target for fork PR labeling#585
Merged
Pedrovaleriolopez merged 4 commits intomainfrom Mar 11, 2026
Merged
fix(ci): use pull_request_target for fork PR labeling#585Pedrovaleriolopez merged 4 commits intomainfrom
Pedrovaleriolopez merged 4 commits intomainfrom
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
WalkthroughChanged the PR labeling workflow to run on Changes
Sequence Diagram(s)sequenceDiagram
participant Contributor as Contributor (fork)
participant GitHub as GitHub Events
participant Workflow as PR Labeling Workflow (base repo)
participant GitHubAPI as GitHub REST API
participant Labeler as actions/labeler (pinned)
Contributor->>GitHub: Open PR
GitHub->>Workflow: trigger pull_request_target
Workflow->>GitHubAPI: paginate pulls.listFiles (per_page=100)
GitHubAPI-->>Workflow: file list (filename, previous_filename)
alt any file path starts with "squads/"
Workflow->>GitHubAPI: add label "needs-po-review" to PR
end
Workflow->>Labeler: run labeler action (pinned commit) for other labels
Labeler-->>Workflow: labeling results
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes Possibly related issues
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Contributor
📊 Coverage ReportCoverage report not available
Generated by PR Automation (Story 6.1) |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/pr-labeling.yml:
- Around line 30-36: The current hasSquadChanges check only inspects f.filename
and misses renames out of squads/, so update the predicate used when
constructing hasSquadChanges (after calling github.paginate on pulls.listFiles
into files) to also inspect f.previous_filename safely; for example, change the
files.some(...) to return true if either f.filename or f.previous_filename
startsWith('squads/'), handling undefined values (e.g., via null-coalescing or
explicit checks) so moves from squads/ are detected.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Run ID: f45deba2-a19a-46f5-ad0a-c3e4c8691357
📒 Files selected for processing (1)
.github/workflows/pr-labeling.yml
Switch trigger from pull_request to pull_request_target so fork PRs get a write-capable GITHUB_TOKEN. Replace git-diff squad detection with GitHub API (pulls.listFiles) since pull_request_target does not check out fork commits. Remove unnecessary checkout step. Closes #479 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Use github.paginate() instead of a single API call to ensure squad detection works even for large PRs. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Address CodeRabbit review: also check previous_filename for renames moving files out of squads/, preventing policy bypass. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
oalanicolas
force-pushed
the
fix/479-pr-labeling-fork-prs
branch
from
0702e7a to
ea9ba99
Compare
oalanicolas
dismissed
coderabbitai[bot]’s stale review
CodeRabbit feedback addressed in commit ea9ba92 (previous_filename check added)
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/pr-labeling.yml:
- Around line 20-27: Replace the movable tags for the two GitHub Actions with
the provided immutable commit SHAs: change the usage of actions/labeler@v4 to
actions/labeler@ac9175f8a1f3625fd0d4fb234536d26811351594 and change
actions/github-script@v7 to
actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b (leave the
existing inputs like repo-token and configuration-path unchanged); after
updating the refs, run CI or dependabot/renovate to manage future updates with
pinned SHAs.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Run ID: 319cc916-6cc9-43ac-aea2-9fb1b2bbe52f
📒 Files selected for processing (1)
.github/workflows/pr-labeling.yml
There was a problem hiding this comment.
♻️ Duplicate comments (1)
.github/workflows/pr-labeling.yml (1)
20-27:⚠️ Potential issue | 🟠 MajorPin action refs to immutable SHAs (prior feedback unaddressed).
Lines 20 and 27 still use movable major tags (
@v4,@v7) in apull_request_targetworkflow withpull-requests: writepermissions. This creates a supply-chain security risk—an upstream compromise or tag retargeting could execute malicious code with write access to pull requests.Pin both actions to their immutable commit SHAs:
🔒 Proposed fix
- name: Label PR based on files changed - uses: actions/labeler@v4 + uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v4.3.0 with: repo-token: "${{ secrets.GITHUB_TOKEN }}" configuration-path: .github/labeler.yml sync-labels: true - name: Check for squad changes and add label - uses: actions/github-script@v7 + uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 with:Use Dependabot or Renovate to automate future updates while maintaining immutable references.
,
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/pr-labeling.yml around lines 20 - 27, The workflow uses movable tags actions/labeler@v4 and actions/github-script@v7 in a pull_request_target context—replace those version tags with the corresponding immutable commit SHAs (e.g., actions/labeler@<full-commit-sha> and actions/github-script@<full-commit-sha>) so the workflow references a fixed commit; update both occurrences in the file (the uses lines for actions/labeler and actions/github-script), commit the changes, and add Dependabot or Renovate to manage future pin updates automatically.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Duplicate comments:
In @.github/workflows/pr-labeling.yml:
- Around line 20-27: The workflow uses movable tags actions/labeler@v4 and
actions/github-script@v7 in a pull_request_target context—replace those version
tags with the corresponding immutable commit SHAs (e.g.,
actions/labeler@<full-commit-sha> and actions/github-script@<full-commit-sha>)
so the workflow references a fixed commit; update both occurrences in the file
(the uses lines for actions/labeler and actions/github-script), commit the
changes, and add Dependabot or Renovate to manage future pin updates
automatically.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Run ID: 743a6229-a247-4dd3-bc20-6737fa1a58cf
📒 Files selected for processing (1)
.github/workflows/pr-labeling.yml
Pin actions/labeler and actions/github-script to immutable commit SHAs to prevent supply-chain attacks in the write-token context. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
pr-labeling.ymltrigger frompull_requesttopull_request_targetso the workflow runs with the base repository's write-capableGITHUB_TOKENgit diffsquad-change detection with GitHub API (pulls.listFileswith pagination) sincepull_request_targetdoesn't check out fork commitsactions/checkoutstep (both labeler and squad check now use API only)Root cause
The SynkraAI org enforces
default_workflow_permissions: readand blocks repos from overriding towrite. This means thepermissions: pull-requests: writeblock in the workflow has no effect underpull_requesttrigger — the token stays read-only.pull_request_targetruns in the base repository context with elevated permissions, bypassing this restriction. This fixes labeling for all PRs (same-repo and fork).Closes #479
Test plan
squads/and verifyneeds-po-reviewlabel is addedResource not accessible by integrationerrors in workflow logs🤖 Generated with Claude Code
Summary by CodeRabbit