expressjs
Create adr-labeler workflow
Related to https://github.com/expressjs/discussions/pull/296#issuecomment-2453123631
Will label any PR that touches the adr dir w/ ADR label
I like it, although I'm sure it will give an error like in https://github.com/expressjs/expressjs.com/issues/1553
Right, default token perms are read on prs
I think it needs this update
permissions:
pull-requests: write
issues: write
I still think it wouldn't work, we tried that in https://github.com/expressjs/expressjs.com/pull/1557 and it didn't work. The only way we believe might work, although we haven't tested it yet, is by creating a token with the permissions as attempted in https://github.com/expressjs/expressjs.com/pull/1642.
Ah, it's the permission model for forks mucking that up in the linked issue.
See the docs for GH_TOKEN perms, there's a note about this at the bottom.
I'll push an update to allow this to run based on PRs from forks.
After looking into this, idk that there's a safe way to do this tbh. We can use pull_request_target to give forks the right permissions, but then they could possibly leak the token w/ those elevated perms. Same w/ the PAT approach, could trigger a workflow run, alter the workflow file in the PR, leak the token.
The original PR works as long as folks aren't opening PRs based on forks, but creating branches here in the repo.
A github bot or github app might be the safest way to do this, can edit the PRs w/o having elevated permissions in a workflow file that can be altered by PRs coming from forks.
TIL: the permission model of GHA is pretty wild
~Can we change the name to RFC? I thought we had discussed that, but maybe with this new automation it is the time to do it?~
EDIT: We decided not to make the name change in one of the TC meetings.
due to permission issues, I don't think it's a good idea to add it, it will only create unnecessary noise about the workflow failing