chore(PR labeler): fix workflow having read access only, when triggered from forks (@NadAlaba) (#5842)

* chore(PR labeler): fix workflow having read access only when triggered from forks (@NadAlaba)

* remove logging and add an example with scope

* use action instead of gh cli for security

* use action to read json (instead of echoing contents in shell) for security

* step.if needs the same variables

* don't let attacker choose the labels

* step.name starts in caps

* no need for variable if it's used once

.github/workflows/label-pr.yml

@@ -1,58 +0,0 @@
-name: Update PR labels
-
-permissions:
-  contents: read
-  pull-requests: write
-
-on:
-  pull_request:
-    types: [review_requested, review_request_removed]
-  pull_request_review: 
-    types: [submitted]
-  issue_comment:
-    types: [created]
-
-jobs:
-  update-pr-labels:
-    name: Update PR Labels Based on Events
-    runs-on: ubuntu-latest
-    steps:
-      - name: Remove "waiting for update" label if comment is by PR author or a review is requested
-        if: ${{ (github.event.issue.pull_request && github.event_name == 'issue_comment' && github.event.comment.user.login == github.event.issue.user.login) || (github.event.action == 'review_requested') }}
-        uses: actions-ecosystem/action-remove-labels@v1
-        with:
-          labels: waiting for update
-        env:
-          NUMBER: ${{ github.event.issue.number }}
-
-      - name: Add "waiting for review" if a review is requested
-        if: github.event.action == 'review_requested'
-        uses: actions-ecosystem/action-add-labels@v1
-        with:
-          labels: waiting for review
-        env:
-          NUMBER: ${{ github.event.pull_request.number }}
-
-      - name: Remove "waiting for review" label if review request is removed
-        if: github.event.action == 'review_request_removed'
-        uses: actions-ecosystem/action-remove-labels@v1
-        with:
-          labels: waiting for review
-        env:
-          NUMBER: ${{ github.event.issue.number }}
-
-      - name: Add "waiting for update" if changes are requested
-        if: ${{(github.event_name == 'pull_request_review' && github.event.review.state == 'changes_requested')}}
-        uses: actions-ecosystem/action-add-labels@v1
-        with:
-          labels: waiting for update
-        env:
-          NUMBER: ${{ github.event.pull_request.number }}
-
-      - name: Remove "waiting for review" label after review
-        if: ${{github.event_name == 'pull_request_review' }}
-        uses: actions-ecosystem/action-remove-labels@v1
-        with:
-          labels: waiting for review
-        env:
-          NUMBER: ${{ github.event.issue.number }}

.github/workflows/semantic-pr-title.yml

@@ -45,6 +45,7 @@ jobs:
             A correct version would look something like: 
             
             feat: add new feature (@github-username)
+            impr(quotes): add english quotes (@github-username)
             fix: resolve bug (@github-username)
             
       - uses: marocchino/sticky-pull-request-comment@v2
@@ -56,13 +57,18 @@ jobs:
           message: |
             Hey there and thank you for opening this pull request! 👋🏼
 
-            We require pull request titles to follow the [Conventional Commits specification](https://www.conventionalcommits.org/en/v1.0.0/) and also include the author name at the end inside round brackets. It looks like your proposed title needs to be adjusted.
+            We require pull request titles to follow the [Conventional Commits specification](https://www.conventionalcommits.org/en/v1.0.0/) and also include the author name at the end inside parenthesis. It looks like your proposed title needs to be adjusted.
 
             Details:
 
             ```
             ${{ steps.lint_pr_title.outputs.error_message }}
             ```
+            A correct version would look something like: 
+
+            feat: add new feature (@github-username)
+            impr(quotes): add english quotes (@github-username)
+            fix: resolve bug (@github-username)
 
       # Delete a previous comment when the issue has been resolved
       - if: ${{ steps.lint_pr_title.outputs.error_message == null }}

.github/workflows/update-labels.yml

@@ -0,0 +1,96 @@
+name: Check labels to update
+
+on:
+  pull_request_target:
+    types:
+      [
+        review_requested,
+        ready_for_review,
+        review_request_removed,
+        converted_to_draft,
+        synchronize,
+        edited,
+      ]
+  pull_request_review:
+    types: [submitted, edited, dismissed]
+  pull_request_review_comment:
+    types: [created, edited]
+  issue_comment:
+    types: [created, edited]
+
+jobs:
+  update-labels:
+    runs-on: ubuntu-latest
+    env:
+      PR_NUM: ${{ github.event.pull_request.number || github.event.issue.number }}
+
+    steps:
+      - name: Set up varibles
+        run: |
+          echo "REVIEW=0" >> $GITHUB_ENV
+          echo "UPDATE=0" >> $GITHUB_ENV
+
+      - name: Add 'waiting for review' label
+        # when a review is requested or if the PR is converted from a draft
+        if: |
+          github.event_name == 'pull_request_target' &&
+          contains(fromJSON('["review_requested", "ready_for_review"]'), github.event.action)
+        run: echo "REVIEW=1" >> $GITHUB_ENV
+
+      - name: Remove 'waiting for review' label
+        # when a review request is removed or if the PR is converted to a draft
+        # or when the PR is reviewed by the owner, a member or a collaborator
+        if: |
+          (
+            github.event_name == 'pull_request_target' &&
+            contains(fromJSON('["review_request_removed", "converted_to_draft"]'), github.event.action)
+          ) ||
+          (
+            github.event_name == 'pull_request_review' &&
+            contains(fromJSON('["submitted", "edited"]'), github.event.action) &&
+            contains(fromJSON('["OWNER", "MEMBER", "COLLABORATOR"]'), github.event.review.author_association)
+          )
+        run: echo "REVIEW=-1" >> $GITHUB_ENV
+
+      - name: Add 'waiting for update' label
+        # when a review by one of {owner, member, collaborator} requests changes
+        if: |
+          github.event_name == 'pull_request_review' &&
+          github.event.review.state == 'changes_requested' &&
+          contains(fromJSON('["OWNER", "MEMBER", "COLLABORATOR"]'), github.event.review.author_association)
+        run: echo "UPDATE=1" >> $GITHUB_ENV
+
+      - name: Remove 'waiting for update' label from PR/issue
+        # when PR is commited to or if the PR is edited or if a review is requested or dismissed
+        # or when a comment is added by the author to the review or to the main PR thread
+        if: |
+          (
+            github.event_name == 'pull_request_target' &&
+            contains(fromJSON('["synchronize", "edited", "review_requested"]'), github.event.action)
+          ) ||
+          (
+            github.event_name == 'pull_request_review' &&
+            github.event.action == 'dismissed'
+          ) ||
+          (
+            github.event_name == 'pull_request_review_comment' &&
+            contains(fromJSON('["created", "edited"]'), github.event.action) &&
+            github.event.comment.user.id == github.event.pull_request.user.id
+          ) ||
+          (
+            github.event_name == 'issue_comment' &&
+            contains(fromJSON('["created", "edited"]'), github.event.action) &&
+            github.event.comment.user.id == github.event.issue.user.id
+          )
+        run: echo "UPDATE=-1" >> $GITHUB_ENV
+
+      - name: Save result in a JSON file
+        env:
+          LABELS_JSON: ${{ format('{{"waiting_for_review"{0} "{1}", "waiting_for_update"{0} "{2}", "pr_num"{0} "{3}"}}', ':', env.REVIEW, env.UPDATE, env.PR_NUM) }}
+        run: echo $LABELS_JSON > write-labels.json
+
+      - name: Upload the JSON file
+        uses: actions/upload-artifact@v4
+        with:
+          name: labels
+          path: ./write-labels.json

.github/workflows/write-labels.yml

@@ -0,0 +1,52 @@
+name: Write label on PR/issue
+
+permissions:
+  pull-requests: write
+  issues: write
+
+on:
+  workflow_run:
+    workflows: [Check labels to update]
+    types: [completed]
+
+jobs:
+  write-labels:
+    if: ${{ github.event.workflow_run.conclusion == 'success' }}
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Download workflow artifact
+        uses: actions/download-artifact@v4
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          run-id: ${{ github.event.workflow_run.id }}
+
+      - name: Read json file
+        id: json_reader
+        uses: juliangruber/read-file-action@v1.1.7
+        with:
+          path: ./labels/write-labels.json
+
+      - name: Add `waiting for review` label
+        if: fromJSON(steps.json_reader.outputs.content).waiting_for_review == 1
+        run: echo "ADD_LABELS=${ADD_LABELS}waiting for review," >> $GITHUB_ENV
+
+      - name: Remove `waiting for review` label
+        if: fromJSON(steps.json_reader.outputs.content).waiting_for_review == -1
+        run: echo "REMOVE_LABELS=${REMOVE_LABELS}waiting for review," >> $GITHUB_ENV
+
+      - name: Add `waiting for update` label
+        if: fromJSON(steps.json_reader.outputs.content).waiting_for_update == 1
+        run: echo "ADD_LABELS=${ADD_LABELS}waiting for update," >> $GITHUB_ENV
+
+      - name: Remove `waiting for update` label
+        if: fromJSON(steps.json_reader.outputs.content).waiting_for_update == -1
+        run: echo "REMOVE_LABELS=${REMOVE_LABELS}waiting for update," >> $GITHUB_ENV
+
+      - name: Apply label changes
+        if: env.ADD_LABELS || env.REMOVE_LABELS
+        uses: PauMAVA/add-remove-label-action@v1.0.3
+        with:
+          issue_number: ${{ fromJSON(steps.json_reader.outputs.content).pr_num }}
+          add: ${{ env.ADD_LABELS }}
+          remove: ${{ env.REMOVE_LABELS }}