chore: fix permissions for the draft labeling automation (#6732)

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
2026-01-31 11:03:11 +08:00 · 2026-01-14 14:21:05 +01:00
parent 0cdb63edd1
commit 31d2417dde
1 changed files with 31 additions and 25 deletions
--- a/.github/workflows/mark-as-draft-on-requesting-changes.yml
+++ b/.github/workflows/mark-as-draft-on-requesting-changes.yml
@@ -1,56 +1,62 @@
 name: Mark PR as draft when changes are requested

-on:
-  pull_request_review:
-    types: [submitted]
-
-  pull_request:
-    types: [labeled]
+# pull_request_target is safe here because:
+# 1. Does not use any external actions; only uses the GitHub CLI via run commands
+# 2. Has minimal permissions
+# 3. Doesn't checkout or execute any untrusted code from PRs
+# 4. Only adds/removes labels or changes the draft status
+on: # zizmor: ignore[dangerous-triggers]
+  pull_request_target:
+    types:
+      - review_submitted
+      - labeled
+      - ready_for_review

 permissions: {}

 jobs:
  mark-draft:
    runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
    if: |
      (
-        github.event_name == 'pull_request_review' &&
+        github.event.action == 'review_submitted' &&
        github.event.review.state == 'changes_requested'
      ) || (
-        github.event_name == 'pull_request' &&
+        github.event.action == 'labeled' &&
        github.event.label.name == 'pr:please address review comments'
      )
    steps:
      - name: Add label on requested changes
-        if: github.event_name == 'pull_request_review'
+        if: github.event.review.state == 'changes_requested'
        env:
-          GH_TOKEN: ${{ secrets.MARK_AS_DRAFT_TOKEN }}
-          PR_NUMBER: ${{ github.event.pull_request.number }}
-          REPO: ${{ github.repository }}
+          GH_TOKEN: ${{ github.token }}
        run: |
-          gh issue edit "$PR_NUMBER" \
-            --repo "$REPO" \
+          gh issue edit "${{ github.event.pull_request.number }}" \
+            --repo "${{ github.repository }}" \
            --add-label "pr:please address review comments"

      - name: Mark PR as draft
        env:
-          GH_TOKEN: ${{ secrets.MARK_AS_DRAFT_TOKEN }}
-          PR_URL: ${{ github.event.pull_request.html_url }}
-        run: gh pr ready "$PR_URL" --undo || true
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          gh pr ready "${{ github.event.pull_request.number }}" --undo || true
+
  ready-for-review:
    runs-on: ubuntu-latest
-    if: github.event_name == 'pull_request' && github.event.action == 'ready_for_review'
+    permissions:
+      pull-requests: write
+    if: github.event.action == 'ready_for_review'
    steps:
      - name: Update labels for review
        env:
-          GH_TOKEN: ${{ secrets.MARK_AS_DRAFT_TOKEN }}
-          PR_NUMBER: ${{ github.event.pull_request.number }}
-          REPO: ${{ github.repository }}
+          GH_TOKEN: ${{ github.token }}
        run: |
-          gh issue edit "$PR_NUMBER" \
-            --repo "$REPO" \
+          gh issue edit "${{ github.event.pull_request.number }}" \
+            --repo "${{ github.repository }}" \
            --remove-label "pr:please address review comments" || true

-          gh issue edit "$PR_NUMBER" \
-            --repo "$REPO" \
+          gh issue edit "${{ github.event.pull_request.number }}" \
+            --repo "${{ github.repository }}" \
            --add-label "pr:needs review"