Add PR Labeler workflow and config to cookiecutter

llucax · llucax · commit f7e1abb6598f · 2023-06-12T14:30:07.000+02:00
Signed-off-by: Leandro Lucarella &lt;luca-frequenz@llucax.com&gt;
diff --git a/cookiecutter/{{cookiecutter.github_repo_name}}/.github/labeler.yml b/cookiecutter/{{cookiecutter.github_repo_name}}/.github/labeler.yml
@@ -0,0 +1,43 @@
+# Configuration for the Labeler GitHub action, executed by
+# .github/workflows/labeler.yml.
+#
+# The basic syntax is [label]: [path patterns].
+#
+# For more details on the configuration please see:
+# https://github.com/marketplace/actions/labeler
+
+# TODO(cookiecutter): Add different parts of the source
+# For example:
+#
+# "part:module":
+#   - "src/frequenz/{{cookiecutter.type}}/{{cookiecutter.name}}/module/**"
+#
+# "part:other":
+#   - "src/frequenz/{{cookiecutter.type}}/{{cookiecutter.name}}/other/**"
+#
+# Please have in mind that that the part:xxx should be created as a issue label
+# in the GitHub repository"
+
+"part:docs":
+  - "**/*.md"
+  - "docs/**"
+  - "examples/**"
+  - LICENSE
+
+"part:tests":
+{%- if cookiecutter.type == "api" %}
+  - "pytests/**"
+{%- else %}
+  - "tests/**"
+{%- endif %}
+
+"part:tooling":
+  - "**/*.ini"
+  - "**/*.toml"
+  - "**/*.yaml"
+  - "**/*.yml"
+  - ".git*"
+  - ".git*/**"
+  - CODEOWNERS
+  - MANIFEST.in
+  - noxfile.py
diff --git a/cookiecutter/{{cookiecutter.github_repo_name}}/.github/workflows/labeler.yml b/cookiecutter/{{cookiecutter.github_repo_name}}/.github/workflows/labeler.yml
@@ -0,0 +1,23 @@
+name: Pull Request Labeler
+
+on: [pull_request_target]
+
+jobs:
+  Label:
+    permissions:
+      contents: read
+      pull-requests: write
+    runs-on: ubuntu-latest
+    steps:
+      - name: Labeler
+        # XXX: !!! SECURITY WARNING !!!
+        # pull_request_target has write access to the repo, and can read secrets. We
+        # need to audit any external actions executed in this workflow and make sure no
+        # checked out code is run (not even installing dependencies, as installing
+        # dependencies usually can execute pre/post-install scripts). We should also
+        # only use hashes to pick the action to execute (instead of tags or branches).
+        # For more details read:
+        # https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
+        uses: actions/labeler@0776a679364a9a16110aac8d0f40f5e11009e327  # 4.0.4
+        with:
+          repo-token: "${{ secrets.GITHUB_TOKEN }}"
