Skip to content

[TT-16977] fix: trigger release workflow on PR labeled event #8088

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
buger merged 1 commit into from
Apr 17, 2026
+1 −0
Merged

[TT-16977] fix: trigger release workflow on PR labeled event #8088

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .github/workflows/release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@
schedule:
- cron: "0 0 * * 1"
pull_request:
types: [opened, synchronize, reopened, labeled]

Check warning on line 19 in .github/workflows/release.yml

View check run for this annotation

probelabs / Visor: performance

performance Issue 

The workflow is configured to trigger on every `labeled` event for a pull request. This will cause the entire workflow to run each time any label is added or removed, leading to unnecessary consumption of CI/CD resources. The pull request description mentions this is for the `deps-reviewed` label, but the current implementation triggers on all labels.
Raw output 
To prevent unnecessary workflow runs, add a conditional check at the job level to ensure that jobs only run for the `labeled` event if the specific label is `deps-reviewed`. This will preserve the behavior for other event types like `opened` and `synchronize` while correctly scoping the `labeled` trigger.

Example of a job-level conditional:
```yaml
jobs:
  some-job:
    if: github.event.action != 'labeled' || github.event.label.name == 'deps-reviewed'
    runs-on: ubuntu-latest
    steps:
      ...
```

Check warning on line 19 in .github/workflows/release.yml

View check run for this annotation

probelabs / Visor: architecture

architecture Issue 

The workflow is configured to trigger every time any label is added to a pull request by using the `labeled` event type. This will cause the workflow to execute for any label, leading to unnecessary workflow runs and resource consumption. The pull request description states the goal is to trigger only for the `deps-reviewed` label.
Raw output 
To ensure the workflow runs only when intended, add a condition to the relevant job(s) to check for the specific label. For example:
```yaml
jobs:
  your-job-name:
    if: github.event.label.name == 'deps-reviewed'
    ...
```

Check warning on line 19 in .github/workflows/release.yml

View check run for this annotation

probelabs / Visor: security

security Issue 

The `release.yml` workflow is now triggered whenever a label is added to a pull request (`labeled` event). This significantly widens the trigger surface for a workflow that, based on its name, may perform sensitive release operations. If this workflow has access to secrets and performs actions like publishing artifacts, it could be triggered on unreviewed code by any user with permission to add labels. This could potentially lead to unauthorized releases or execution of privileged actions from a pull request branch.
Raw output 
Validate that the `release.yml` workflow does not perform any sensitive operations that should be restricted to merges on protected branches. If it does, remove the `labeled` trigger. If the workflow must run on label events for tasks like dependency checks (as suggested by the PR description), ensure the job has strict conditions to prevent unintended execution of sensitive steps. For example, add conditions to verify the actor's permissions and the specific label that was added (e.g., `if: github.event.label.name == 'deps-reviewed'`). Sensitive release workflows should ideally only be triggered on pushes to protected branches.

Check warning on line 19 in .github/workflows/release.yml

View check run for this annotation

probelabs / Visor: quality

architecture Issue 

The `labeled` pull request trigger will cause the workflow to run every time any label is added or removed. This can lead to excessive and unnecessary workflow executions, consuming runner minutes and adding noise to pull request checks.
Raw output 
To ensure the workflow only runs when the specific 'deps-reviewed' label is added (as mentioned in the PR description), add a condition to the relevant job(s) in this workflow. For example: `if: github.event.action == 'labeled' && github.event.label.name == 'deps-reviewed'`.
push:
branches:
- master
Expand Down
Loading