[8.0] Backport labeling workflow changes (#112241)

* Change some workflows using `pull_request` to use `pull_request_target` instead (#112161) * Change workflows to use pull_request_target instead of pull_request event * Add CODEOWNERS entry * Add initial readme * Add repo-specific condition to labeling workflows (#112169) * Condition labeling workflows to only run on dotnet/runtime. * Improve readme * Add jeffhandley as explicit workflow owner Co-authored-by: Jeff Handley <[email protected]> * Apply suggestions from code review --------- Co-authored-by: Jeff Handley <[email protected]>
dotnet · Feb 11, 2025 · 98d6415 · 98d6415
1 parent 4e2e722
commit 98d6415
Show file tree

Hide file tree

Showing 4 changed files with 29 additions and 4 deletions.
diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
@@ -101,3 +101,4 @@
 /docs/area-owners.*                                 @jeffhandley
 /docs/issue*.md                                     @jeffhandley
 /.github/fabricbot.json                             @jeffhandley
+/.github/workflows/                                 @jeffhandley @dotnet/runtime-infrastructure
diff --git a/.github/workflows/README.md b/.github/workflows/README.md
@@ -0,0 +1,22 @@
+# Workflows
+
+General guidance:
+
+Please make sure to include the @dotnet/runtime-infrastructure group as a reviewer of your PRs.
+
+For workflows that are triggered by pull requests, refer to GitHub's documentation for the `pull_request` and `pull_request_target` events. The `pull_request_target` event is the more common use case in this repository as it runs the workflow in the context of the target branch instead of in the context of the pull request's fork or branch. However, workflows that need to consume the contents of the pull request need to use the `pull_request` event. There are security considerations with each of the events though.
+
+Most workflows are intended to run only in the `dotnet/runtime` repository and not in forks. To force workflow jobs to be skipped in forks, each job should apply an `if` statement that checks the repository name or owner. Either approach works, but checking only the repository owner allows the workflow to run in copies or forks withing the dotnet org.
+
+```yaml
+jobs:
+  job-1:
+    # Do not run this job in forks
+    if: github.repository == 'dotnet/runtime'
+
+  job-2:
+    # Do not run this job in forks outside the dotnet org
+    if: github.repository_owner == 'dotnet'
+```
+
+Refer to GitHub's [Workflows in forked repositories](https://docs.github.com/en/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows#workflows-in-forked-repositories) and [pull_request_target](https://docs.github.com/en/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows#pull_request_target) documentation for more information.
diff --git a/.github/workflows/check-no-merge-label.yml b/.github/workflows/check-no-merge-label.yml
@@ -4,14 +4,15 @@ permissions:
   pull-requests: read
 
 on:
-  pull_request:
-    types: [opened, edited, reopened, labeled, unlabeled, synchronize]
+  pull_request_target:
+    types: [opened, reopened, labeled, unlabeled]
     branches:
       - 'main'
       - 'release/**'
 
 jobs:
   check-labels:
+    if: github.repository == 'dotnet/runtime'
     runs-on: ubuntu-latest
     steps:
     - name: Check 'NO-MERGE' label

diff --git a/.github/workflows/check-service-labels.yml b/.github/workflows/check-service-labels.yml
@@ -4,13 +4,14 @@ permissions:
   pull-requests: read
 
 on:
-  pull_request:
-    types: [opened, edited, reopened, labeled, unlabeled, synchronize]
+  pull_request_target:
+    types: [opened, reopened, labeled, unlabeled]
     branches:
       - 'release/**'
 
 jobs:
   check-labels:
+    if: github.repository == 'dotnet/runtime'
     runs-on: ubuntu-latest
     steps:
     - name: Check 'Servicing-approved' label