mirror of
https://github.com/actions/labeler.git
synced 2025-12-10 11:41:56 +00:00
Improve Labeler Action Documentation and Error Handling for Permissions (#897)
* Update README.md and labeler.ts to clarify permissions for GitHub Labeler Action * Update dist/index.js with latest build changes * Update README.md to clarify manual label creation as an alternative to granting issues write permission * Fix labeler error handling to ensure case-insensitive check for unauthorized access * Refactor error handling in labeler to throw an error for unauthorized access instead of logging * Add tests for labeler error handling and improve error reporting
This commit is contained in:
Chiranjib Swain
27
README.md
27
README.md
@@ -265,15 +265,36 @@ jobs:
|
||||
|
||||
## Recommended Permissions
|
||||
|
||||
In order to add labels to pull requests, the GitHub labeler action requires write permissions on the pull-request. However, when the action runs on a pull request from a forked repository, GitHub only grants read access tokens for `pull_request` events, at most. If you encounter an `Error: HttpError: Resource not accessible by integration`, it's likely due to these permission constraints. To resolve this issue, you can modify the `on:` section of your workflow to use
|
||||
[`pull_request_target`](https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target) instead of `pull_request` (see example [above](#create-workflow)). This change allows the action to have write access, because `pull_request_target` alters the [context of the action](https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target) and safely grants additional permissions. There exists a potentially dangerous misuse of the pull_request_target workflow trigger that may lead to malicious PR authors (i.e. attackers) being able to obtain repository write permissions or stealing repository secrets, Hence it is advisible that pull_request_target should only be used in workflows that are carefully designed to avoid executing untrusted code and to also ensure that workflows using pull_request_target limit access to sensitive resources. Refer to the [GitHub token permissions documentation](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token) for more details about access levels and event contexts.
|
||||
To successfully add labels to pull requests using the GitHub Labeler Action, specific permissions must be granted based on your use case:
|
||||
|
||||
1. **Adding Existing Labels**:
|
||||
- Requires: `pull-requests: write`
|
||||
- Use this if all labels already exist in the repository (i.e., pre-defined in `.github/labeler.yml`).
|
||||
|
||||
2. **Creating New Labels**:
|
||||
- Requires: `issues: write`
|
||||
- This is necessary if the action needs to create labels that do not already exist in the repository.
|
||||
|
||||
However, when the action runs on a pull request from a forked repository, GitHub only grants read access tokens for `pull_request` events, at most. If you encounter an `Error: HttpError: Resource not accessible by integration`, it's likely due to these permission constraints. To resolve this issue, you can modify the `on:` section of your workflow to use
|
||||
[`pull_request_target`](https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target) instead of `pull_request` (see example [above](#create-workflow)). This change allows the action to have write access, because `pull_request_target` alters the [context of the action](https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target) and safely grants additional permissions.
|
||||
|
||||
There exists a potentially dangerous misuse of the `pull_request_target` workflow trigger that may lead to malicious PR authors (i.e. attackers) being able to obtain repository write permissions or stealing repository secrets. Hence, it is advisable that `pull_request_target` should only be used in workflows that are carefully designed to avoid executing untrusted code and to also ensure that workflows using `pull_request_target` limit access to sensitive resources. Refer to the [GitHub token permissions documentation](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token) for more details about access levels and event contexts.
|
||||
|
||||
### Example Workflow Permissions
|
||||
|
||||
To ensure the action works correctly, include the following permissions in your workflow file:
|
||||
|
||||
```yml
|
||||
permissions:
|
||||
contents: read
|
||||
pull-requests: write
|
||||
issues: write
|
||||
```
|
||||
|
||||
### Manual Label Creation as an Alternative to Granting issues write Permission
|
||||
|
||||
If you prefer not to grant the `issues: write` permission in your workflow, you can manually create all required labels in the repository before the action runs.
|
||||
|
||||
## Notes regarding `pull_request_target` event
|
||||
|
||||
Using the `pull_request_target` event trigger involves several peculiarities related to initial set up of the labeler or updating version of the labeler.
|
||||
@@ -298,4 +319,4 @@ Once you confirm that the updated configuration files function as intended, you
|
||||
|
||||
## Contributions
|
||||
|
||||
Contributions are welcome! See the [Contributor's Guide](CONTRIBUTING.md).
|
||||
Contributions are welcome! See the [Contributor's Guide](CONTRIBUTING.md).
|
||||
Reference in New Issue
Block a user