fix: Swap security label check on the PR title validation job to expl…

…icit permissions instead (#3987) revert security label check for PR title validation & add explicit read-only permission instead Signed-off-by: Jeremy Ary <jary@redhat.com>
feast-dev · Mar 6, 2024 · f604af9 · f604af9
1 parent 2cf1a0f
commit f604af9
Showing 1 changed file with 4 additions and 3 deletions.
diff --git a/.github/workflows/lint_pr.yml b/.github/workflows/lint_pr.yml
@@ -7,12 +7,13 @@ on:
       - edited
       - synchronize
 
+permissions:
+  # read-only perms specified due to use of pull_request_target in lieu of security label check
+  pull-requests: read
+
 jobs:
   validate-title:
-    # when using pull_request_target, all jobs MUST have this if check for 'ok-to-test' or 'approved' for security purposes.
     if:
-      ((github.event.action == 'labeled' && (github.event.label.name == 'approved' || github.event.label.name == 'lgtm' || github.event.label.name == 'ok-to-test')) ||
-      (github.event.action != 'labeled' && (contains(github.event.pull_request.labels.*.name, 'ok-to-test') || contains(github.event.pull_request.labels.*.name, 'approved') || contains(github.event.pull_request.labels.*.name, 'lgtm')))) &&
       github.repository == 'feast-dev/feast'
     name: Validate PR title
     runs-on: ubuntu-latest