Skip to content
Closed

test #2272

Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 3 additions & 2 deletions .github/workflows/pr-assigner.yaml

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

High-level Suggestion

Restore the original canonical GitHub Action reference and its secure commit SHA. [High-level, importance: 9]

Solution Walkthrough:

Before:

jobs:
  assign-reviewers:
    runs-on: ubuntu-latest
    steps:
      - name: Assign reviewers using shared action
        uses: seanconroy2021/release-service-automations/pr-assigner@auto-pr
        with:
          event-type: ${{ github.event.action }}

After:

jobs:
  assign-reviewers:
    runs-on: ubuntu-latest
    steps:
      - name: Assign reviewers using shared action
        uses: konflux-ci/release-service-automations/pr-assigner@5da461efb1b29e523d01989ee09758e85099bda8
        with:
          event-type: ${{ github.event.action }}

Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
name: Assign PR

on:
pull_request_target:
pull_request:
types: [opened, ready_for_review, unassigned]
Comment on lines 4 to 6

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggestion: Revert to pull_request_target to ensure the workflow can access secrets for external contributor PRs. [possible issue, importance: 9]

Suggested change
on:
pull_request_target:
pull_request:
types: [opened, ready_for_review, unassigned]
on:
pull_request_target:
types: [opened, ready_for_review, unassigned]
...
jobs:
assign-reviewers:
if: ${{ github.event.pull_request.head.repo.full_name == github.repository }}
runs-on: ubuntu-latest
steps:
- name: Assign reviewers using shared action
uses: seanconroy2021/release-service-automations/pr-assigner@auto-pr
with:
event-type: ${{ github.event.action }}
pr-number: ${{ github.event.pull_request.number }}
removed-assignee: ${{ github.event.action == 'unassigned' && github.event.assignee.login || '' }}
github-token: ${{ secrets.PR_ASSIGNER_PAT_TOKEN }}
slack-webhook: ${{ secrets.PR_ASSIGNER_SLACK_WEBHOOK }}
pto-calendar-url: ${{ secrets.PTO_CALENDAR_URL }}

Comment on lines 4 to 6

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggestion: Revert the trigger to pull_request_target and add a job-level guard to limit execution to same-repo branches. [possible issue, importance: 3]

Suggested change
on:
pull_request_target:
pull_request:
types: [opened, ready_for_review, unassigned]
on:
pull_request_target:
types: [opened, ready_for_review, unassigned]
...
jobs:
assign-reviewers:
if: ${{ github.event.pull_request.head.repo.full_name == github.repository }}
runs-on: ubuntu-latest
steps:
- name: Assign reviewers using shared action
uses: seanconroy2021/release-service-automations/pr-assigner@auto-pr
with:
event-type: ${{ github.event.action }}
pr-number: ${{ github.event.pull_request.number }}
removed-assignee: ${{ github.event.action == 'unassigned' && github.event.assignee.login || '' }}
github-token: ${{ secrets.PR_ASSIGNER_PAT_TOKEN }}
slack-webhook: ${{ secrets.PR_ASSIGNER_SLACK_WEBHOOK }}
pto-calendar-url: ${{ secrets.PTO_CALENDAR_URL }}


permissions:
Expand All @@ -14,10 +14,11 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Assign reviewers using shared action
uses: konflux-ci/release-service-automations/pr-assigner@5da461efb1b29e523d01989ee09758e85099bda8 # main
uses: seanconroy2021/release-service-automations/pr-assigner@auto-pr
Comment on lines 16 to +17

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggestion: Pin the GitHub Action to a specific commit SHA instead of a mutable branch. [security, importance: 8]

Suggested change
- name: Assign reviewers using shared action
uses: konflux-ci/release-service-automations/pr-assigner@5da461efb1b29e523d01989ee09758e85099bda8 # main
uses: seanconroy2021/release-service-automations/pr-assigner@auto-pr
- name: Assign reviewers using shared action
uses: seanconroy2021/release-service-automations/pr-assigner@<COMMIT_SHA>

Comment on lines 16 to +17

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggestion: Pin the GitHub Action to an immutable commit SHA instead of a movable branch like @auto-pr. [security, importance: 9]

Suggested change
- name: Assign reviewers using shared action
uses: konflux-ci/release-service-automations/pr-assigner@5da461efb1b29e523d01989ee09758e85099bda8 # main
uses: seanconroy2021/release-service-automations/pr-assigner@auto-pr
- name: Assign reviewers using shared action
uses: seanconroy2021/release-service-automations/pr-assigner@<COMMIT_SHA>

Comment on lines 16 to +17

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggestion: Pin the GitHub Action to a specific commit SHA instead of a mutable branch reference. [security, importance: 7]

Suggested change
- name: Assign reviewers using shared action
uses: konflux-ci/release-service-automations/pr-assigner@5da461efb1b29e523d01989ee09758e85099bda8 # main
uses: seanconroy2021/release-service-automations/pr-assigner@auto-pr
- name: Assign reviewers using shared action
uses: seanconroy2021/release-service-automations/pr-assigner@<PINNED_COMMIT_SHA>

Comment on lines 16 to +17

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggestion: Pin the GitHub Action to a specific commit SHA instead of using a mutable branch reference. [security, importance: 5]

Suggested change
- name: Assign reviewers using shared action
uses: konflux-ci/release-service-automations/pr-assigner@5da461efb1b29e523d01989ee09758e85099bda8 # main
uses: seanconroy2021/release-service-automations/pr-assigner@auto-pr
- name: Assign reviewers using shared action
uses: seanconroy2021/release-service-automations/pr-assigner@<PINNED_COMMIT_SHA>

with:
Comment on lines 16 to 18

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggestion: Revert the GitHub Action to use the official repository and a specific commit SHA. [security, importance: 9]

Suggested change
- name: Assign reviewers using shared action
uses: konflux-ci/release-service-automations/pr-assigner@5da461efb1b29e523d01989ee09758e85099bda8 # main
uses: seanconroy2021/release-service-automations/pr-assigner@auto-pr
with:
- name: Assign reviewers using shared action
uses: konflux-ci/release-service-automations/pr-assigner@5da461efb1b29e523d01989ee09758e85099bda8 # main
with:

event-type: ${{ github.event.action }}
pr-number: ${{ github.event.pull_request.number }}
removed-assignee: ${{ github.event.action == 'unassigned' && github.event.assignee.login || '' }}
github-token: ${{ secrets.PR_ASSIGNER_PAT_TOKEN }}
slack-webhook: ${{ secrets.PR_ASSIGNER_SLACK_WEBHOOK }}
pto-calendar-url: ${{ secrets.PTO_CALENDAR_URL }}
Comment on lines 16 to +24

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggestion: Add an in-file comment explaining why the action source was changed and what the new PTO_CALENDAR_URL secret is expected to contain/affect, to avoid surprising CI behavior and configuration drift. [organization best practice, importance: 6]

Suggested change
- name: Assign reviewers using shared action
uses: konflux-ci/release-service-automations/pr-assigner@5da461efb1b29e523d01989ee09758e85099bda8 # main
uses: seanconroy2021/release-service-automations/pr-assigner@auto-pr
with:
event-type: ${{ github.event.action }}
pr-number: ${{ github.event.pull_request.number }}
removed-assignee: ${{ github.event.action == 'unassigned' && github.event.assignee.login || '' }}
github-token: ${{ secrets.PR_ASSIGNER_PAT_TOKEN }}
slack-webhook: ${{ secrets.PR_ASSIGNER_SLACK_WEBHOOK }}
pto-calendar-url: ${{ secrets.PTO_CALENDAR_URL }}
- name: Assign reviewers using shared action
# NOTE: This workflow uses a custom PR assigner action fork; update rationale/owner here if changed.
# Requires `PTO_CALENDAR_URL` secret (calendar feed used to avoid assigning reviewers who are OOO).
uses: seanconroy2021/release-service-automations/pr-assigner@auto-pr
with:
event-type: ${{ github.event.action }}
pr-number: ${{ github.event.pull_request.number }}
removed-assignee: ${{ github.event.action == 'unassigned' && github.event.assignee.login || '' }}
github-token: ${{ secrets.PR_ASSIGNER_PAT_TOKEN }}
slack-webhook: ${{ secrets.PR_ASSIGNER_SLACK_WEBHOOK }}
pto-calendar-url: ${{ secrets.PTO_CALENDAR_URL }}

Loading