Skip to content

fix(ci): Add secure PR labeler workflow with v5 config #2

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 3 commits into
base: master
Choose a base branch
from
Draft

fix(ci): Add secure PR labeler workflow with v5 config #2

wants to merge 3 commits into from

Conversation

Copy link

Copilot AI commented Oct 17, 2025
edited
Loading

Overview

Implements an automated PR labeling workflow using GitHub Actions, based on the approach in PanagiotisDrakatos/HCE_v33_final_allinone_ready#32, with critical security fixes and improvements.

Changes

  • .github/labeler.yml: Labeler configuration using actions/labeler@v5 schema with array matchers
  • .github/workflows/pr-labeler.yml: GitHub Actions workflow for automatic PR labeling
  • .github/README.md: Documentation explaining security considerations and available labels

Security Improvements

This implementation addresses several security concerns identified in the original PR:

1. Event Type: pull_request instead of pull_request_target

The original implementation used pull_request_target with explicit checkout of PR code, which creates a security vulnerability:

# ❌ Original (insecure)
on:
  pull_request_target:
    types: [opened, synchronize, reopened, ready_for_review]
steps:
  - uses: actions/checkout@v4
    with:
      ref: ${{ github.event.pull_request.head.sha }}

This allows malicious PRs to execute untrusted code with write permissions and access to repository secrets.

Our implementation uses the safer pull_request event:

# ✅ Our implementation (secure)
on:
  pull_request:
    types: [opened, synchronize, reopened, ready_for_review]
steps:
  - uses: actions/checkout@v4

Benefit: The workflow runs in the context of the merge commit with restricted permissions, preventing malicious code execution.

2. Fork Compatibility

The original checkout configuration would fail for forked PRs because github.event.pull_request.head.sha doesn't exist in the base repository. Our implementation works seamlessly with both same-repo and forked PRs.

3. Code Documentation

Added inline comment explaining the 200-line debug output limit to avoid confusion about the "magic number":

# Print only the first 200 lines to avoid log overflow in CI output
sed -n '1,200p' .github/labeler.yml

Available Labels

The workflow automatically applies labels based on changed files:

  • Module labels: api, bloom-filter, config, consensus, core, crypto, distributed-ledger, erasure-code, network, protocol, shared-resources, trie, util
  • Functional labels: documentation, ci, docker, build, tests

Testing

YAML syntax validated successfully:

labeler.yml: Valid YAML ✓
pr-labeler.yml: Valid YAML ✓

The workflow will automatically run on all PRs (opened, synchronized, reopened, or marked ready for review) and apply appropriate labels based on the files changed.

Original prompt

@PanagiotisDrakatos/HCE_v33_final_allinone_ready/pull/32

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

Copilot AI self-assigned this Oct 17, 2025
Copilot AI changed the title [WIP] Fix issue in pull request #32 fix(ci): Add secure PR labeler workflow with v5 config Oct 17, 2025
Copilot finished work on behalf of PanagiotisDrakatos October 17, 2025 01:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@PanagiotisDrakatos PanagiotisDrakatos Awaiting requested review from PanagiotisDrakatos

Assignees

@PanagiotisDrakatos PanagiotisDrakatos

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@PanagiotisDrakatos