[9.0] Backport labeling workflow changes (#112240)

* Change some workflows using `pull_request` to use `pull_request_target` instead (#112161) * Change workflows to use pull_request_target instead of pull_request event * Add CODEOWNERS entry * Add initial readme * Add repo-specific condition to labeling workflows (#112169) * Condition labeling workflows to only run on dotnet/runtime. * Improve readme * Add jeffhandley as explicit workflow owner Co-authored-by: Jeff Handley <jeffhandley@users.noreply.github.com> * Apply suggestions from code review --------- Co-authored-by: Jeff Handley <jeffhandley@users.noreply.github.com>
2025-06-08 03:27:04 +09:00 · 2025-02-11 11:54:55 -08:00 · 2025-02-11 11:54:55 -08:00 · 9988faba42
commit 9988faba42
parent 689f4e9a5a
4 changed files with 29 additions and 5 deletions
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@ -113,3 +113,4 @@
 /docs/area-owners.*                                 @jeffhandley
 /docs/issue*.md                                     @jeffhandley
 /.github/policies/                                  @jeffhandley @mkArtakMSFT
+/.github/workflows/                                 @jeffhandley @dotnet/runtime-infrastructure
--- a/.github/workflows/README.md
+++ b/.github/workflows/README.md
@ -0,0 +1,22 @@
+# Workflows
+
+General guidance:
+
+Please make sure to include the @dotnet/runtime-infrastructure group as a reviewer of your PRs.
+
+For workflows that are triggered by pull requests, refer to GitHub's documentation for the `pull_request` and `pull_request_target` events. The `pull_request_target` event is the more common use case in this repository as it runs the workflow in the context of the target branch instead of in the context of the pull request's fork or branch. However, workflows that need to consume the contents of the pull request need to use the `pull_request` event. There are security considerations with each of the events though.
+
+Most workflows are intended to run only in the `dotnet/runtime` repository and not in forks. To force workflow jobs to be skipped in forks, each job should apply an `if` statement that checks the repository name or owner. Either approach works, but checking only the repository owner allows the workflow to run in copies or forks withing the dotnet org.
+
+```yaml
+jobs:
+  job-1:
+    # Do not run this job in forks
+    if: github.repository == 'dotnet/runtime'
+
+  job-2:
+    # Do not run this job in forks outside the dotnet org
+    if: github.repository_owner == 'dotnet'
+```
+
+Refer to GitHub's [Workflows in forked repositories](https://docs.github.com/en/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows#workflows-in-forked-repositories) and [pull_request_target](https://docs.github.com/en/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows#pull_request_target) documentation for more information.
--- a/.github/workflows/check-no-merge-label.yml
+++ b/.github/workflows/check-no-merge-label.yml
@ -4,14 +4,14 @@ permissions:
  pull-requests: read

 on:
-  pull_request:
-    types: [opened, edited, reopened, labeled, unlabeled, synchronize]
+  pull_request_target:
+    types: [opened, reopened, labeled, unlabeled]
    branches:
-      - 'main'
      - 'release/**'

 jobs:
  check-labels:
+    if: github.repository == 'dotnet/runtime'
    runs-on: ubuntu-latest
    steps:
    - name: Check 'NO-MERGE' label
--- a/.github/workflows/check-service-labels.yml
+++ b/.github/workflows/check-service-labels.yml
@ -4,13 +4,14 @@ permissions:
  pull-requests: read

 on:
-  pull_request:
-    types: [opened, edited, reopened, labeled, unlabeled, synchronize]
+  pull_request_target:
+    types: [opened, reopened, labeled, unlabeled]
    branches:
      - 'release/**'

 jobs:
  check-labels:
+    if: github.repository == 'dotnet/runtime'
    runs-on: ubuntu-latest
    steps:
    - name: Check 'Servicing-approved' label