Remove pull_request_review processing from actions #6099
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
JimSuplizio
added
the
GitHub Event Processor
danieljurek
approved these changes
May 5, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This update removes the pull_request_review processing. The reason for this is that particular event has a potential security hole. Unlike the other events, which run against the files that are already in the repository, the pull_request_review event will run against the files in the PR. While the actions do require approval to run if they're initiated by someone without permissions, it would require people to be aware of the files in the PR but, as we've seen, people don't always pay attention and sometimes blindly approve things. If someone were to make a PR with changes to .github/workflows yml files, they could block the action and scrape out the temporary, generated GITHUB_TOKEN.
The pull_request_review processing only removed the no-recent-activity label when a review was submitted. That label is used in scheduled event processing, along with days since last updated. While this event is no longer processed, any change to the PR, including a review, would reset the time since last update which alleviates the concern about the label not being removed in this case.