From a0c0c43c924830ac278b40f6ca5feb9fa038da53 Mon Sep 17 00:00:00 2001 From: Russell Bryant Date: Thu, 7 Nov 2024 20:56:03 -0500 Subject: [PATCH] [CI/Build] Give PR cleanup job PR write access When I ran this job on my own fork, it had the necessary permissions to edit my own PR. Here, we need to explicitly grant the workflow PR write access. Since we are giving the GITHUB_TOKEN some level of elevated access, it is safer to use `pull_request_event` instead of `pull_request`. The difference is that `pull_request_event` runs in the context of `main` instead of the PR. In other words, a PR will not run this workflow using changes from the PR itself. This prevents a malicious PR from editing this workflow, or a script that it executes, to do something malicious with the github token. Finally, run this on the reopened event, but not synchronize. It's not relevant for sync (new commits being pushed). Signed-off-by: Russell Bryant --- .github/workflows/cleanup_pr_body.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/.github/workflows/cleanup_pr_body.yml b/.github/workflows/cleanup_pr_body.yml index 7cf7242e130c8..37d93a1277974 100644 --- a/.github/workflows/cleanup_pr_body.yml +++ b/.github/workflows/cleanup_pr_body.yml @@ -1,8 +1,11 @@ name: Cleanup PR Body on: - pull_request: - types: [opened, edited, synchronize] + pull_request_target: + types: [opened, reopened, edited] + +permissions: + pull-requests: write jobs: update-description: