[BUG] GitHub Actions workflow policy violation: pull_request_target

[lupyuen]

Description / Steps to reproduce the issue

ASF Infra Team has found a Policy Violation in the GitHub Actions Workflow for our NuttX Repo. This needs to be fixed within 60 days:

Subject: GitHub Actions workflow policy violations in nuttx
From: Apache Infrastructure <users@infra.apache.org>

The repository: nuttx has been scanned.
Our analysis has found that the following GitHub Actions workflows need remediation:
	Pull Request Labeler: `pull_request_target` was found as a workflow trigger. see https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=321719166#GitHubActionsSecurity-Buildstriggeredwithpull_request_target, for more details

For more information on the GitHub Actions workflow policy, visit:
	https://infra.apache.org/github-actions-policy.html

Please remediate the above as soon as possible.
If after after 60 days these problems are not addressed, we will turn off builds

Sorry @simbit18: Did we change pull_request_target recently? What's the impact if we remove it? Thanks!

Update: pull_request_target is used only in the Labeler Workflow below. Will it work with the safer pull_request trigger?

https://github.com/apache/nuttx/blob/master/.github/workflows/labeler.yml#L17

Update 2: pr-size-labeler says that we should use (unsafe) pull_request_target instead of (safer) pull_request. This seems to contradict the ASF Infra Guidance?

https://github.com/CodelyTV/pr-size-labeler/blob/main/README.md

Replace on: [pull_request] with on: [pull_request_target] when using forks and when you don't want any PR to be able to execute code (more info: GitHub docs).

On which OS does this issue occur?

[OS: Linux]

What is the version of your OS?

GitHub CI

NuttX Version

master

Issue Architecture

[Arch: all]

Issue Area

[Area: Build System]

Host information

No response

Verification

• I have verified before submitting the report.

[raiden00pl]

pull_request_target is used also by other Apache projects: https://github.com/apache/mynewt-core/blob/master/.github/workflows/labeler.yml

in mynewt it was there for years

[lupyuen]

@raiden00pl Maybe it's a recent change in ASF Infra Policy? Mynewt probably needs to fix it too.

[raiden00pl]

Looking at the history of https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=321719166#GitHubActionsSecurity-Buildstriggeredwithpull_request_target, it has been there for a long time.

Can Infra help with this? Most of us are embedded devs, not github CI experts.

[lupyuen]

@raiden00pl Lemme figure out how to chat with ASF Infra Team on Slack. It's possible that they're enforcing this Policy Violation due to a recent Code Scan.

Update: Lemme verify that pr-size-labeler works with the (safer) pull_request trigger, instead of the (unsafe) pull_request_target trigger. If ASF Infra Team insists that we use pull_request instead of pull_request_target, then we'll have an easy fix.

[simbit18]

Otherwise, we would need to find an alternative way to add labels, as the arch.yml workflow depends on actions/labeler and codelytv/pr-size-labeler.

@lupyuen We have 60 days to find some interesting inspiration! :)
(We need to run more marathons !)

[lupyuen]

This explains why pr-size-labeler needs pull_request_target instead of pull_request (because of the forked PRs):

• Question: Does this action work with pull requests from forks? CodelyTV/pr-size-labeler#8

And how we can use a Custom GitHub Token based on a Bot User:

• Question: Does this action work with pull requests from forks? CodelyTV/pr-size-labeler#8 (comment)

So maybe we could use a Custom GitHub Token from our Bot User @nuttxpr? But then our Bot User would need to have Labelling Permission to the NuttX Repo. Not sure if Apache Repos are allowed to support this hmmm...

[cederom]

Yeah in a perfect situation defining a problem should also define best quick fix solution :-P

Maybe is is possible to simply delete/undefine/blank secrets.GITHUB_TOKEN on start so it is not available to external repos?

[cederom]

Other projects also have this problem reported recently and everyone is searching for a solution. I have asked for a solution recommendation next to the problem definition :-)

https://issues.apache.org/jira/browse/INFRA-27602

[lupyuen]

Thanks to Tomek (and Apache Beam Project): https://issues.apache.org/jira/browse/INFRA-27602

FYI: We (Grails) received a similar.  For
https://github.com/apache/beam/blob/master/.github/workflows/label_prs.yml,
 I'd like to point out that the secret in question is "${{
secrets.GITHUB_TOKEN }}"  This token is given access to contents: read
& pull-requests: write.  So indeed it seems like your instance may be
safe.  In our case, we had content: write and we decided to just
remove auto-labeling functionality by removing pull)request_target.
It would be good to see if infrastructure would allow an exemption for
workflows that only target the PR & do not have write permissions.

My Action List:
(1) Verify that pr-size-labeler works with (safer) pull_request, instead of (unsafe) pull_request_target
(2) Chat with ASF Infra Team on Slack

[cederom]

there is a thread already on infra Slack but no response yet :-P

[raiden00pl]

maybe we can migrate to this: https://github.com/apps/boring-cyborg

here workflow in airflow project: https://github.com/apache/airflow/blob/main/.github/boring-cyborg.yml

it should be possible to migrate our labels workflow with LLM. Doing this work manually won't be pleasant :)