ci: remove pull_request_target trigger (#378)

GoogleCloudPlatform · Jul 23, 2024 · eefa48b · eefa48b
1 parent 67bff82
commit eefa48b
Show file tree

Hide file tree

Showing 6 changed files with 145 additions and 260 deletions.
diff --git a/.github/labels.yml b/.github/labels.yml
@@ -16,74 +16,72 @@
   color: ededed
   description: ""
 
-- name: 'type: bug'
+- name: "type: bug"
   color: db4437
-  description: Error or flaw in code with unintended results or allowing sub-optimal
+  description:
+    Error or flaw in code with unintended results or allowing sub-optimal
     usage patterns.
-- name: 'type: cleanup'
+- name: "type: cleanup"
   color: c5def5
   description: An internal cleanup or hygiene concern.
-- name: 'type: docs'
+- name: "type: docs"
   color: 0000A0
   description: Improvement to the documentation for an API.
-- name: 'type: feature request'
+- name: "type: feature request"
   color: c5def5
   description: ‘Nice-to-have’ improvement, new feature or different behavior or design.
-- name: 'type: process'
+- name: "type: process"
   color: c5def5
   description: A process-related concern. May include testing, release, or the like.
-- name: 'type: question'
+- name: "type: question"
   color: c5def5
   description: Request for information or clarification.
 
-- name: 'priority: p0'
+- name: "priority: p0"
   color: b60205
   description: Highest priority. Critical issue. P0 implies highest priority.
-- name: 'priority: p1'
+- name: "priority: p1"
   color: ffa03e
-  description: Important issue which blocks shipping the next release. Will be fixed
+  description:
+    Important issue which blocks shipping the next release. Will be fixed
     prior to next release.
-- name: 'priority: p2'
+- name: "priority: p2"
   color: fef2c0
   description: Moderately-important priority. Fix may not be included in next release.
-- name: 'priority: p3'
+- name: "priority: p3"
   color: ffffc7
   description: Desirable enhancement or fix. May not be included in next release.
 
 - name: automerge
   color: 00ff00
   description: Merge the pull request once unit tests and other checks pass.
-- name: 'automerge: exact'
+- name: "automerge: exact"
   color: 8dd517
-  description: Summon MOG for automerging, but approvals need to be against the latest
+  description:
+    Summon MOG for automerging, but approvals need to be against the latest
     commit
 - name: do not merge
   color: d93f0b
-  description: Indicates a pull request not ready for merge, due to either quality
-    or timing.
+  description: Indicates a pull request not ready for merge, due to either quality or timing.
 
-- name: 'autorelease: pending'
+- name: "autorelease: pending"
   color: ededed
   description: Release please needs to do its work on this.
-- name: 'autorelease: tagged'
+- name: "autorelease: tagged"
   color: ededed
   description: Release please has completed a release for this.
-- name: 'autorelease: triggered'
+- name: "autorelease: triggered"
   color: ededed
   description: Release please has triggered a release for this.
 
-- name: 'tests: run'
-  color: 3DED97
-  description: Label to trigger Github Action tests.
-
-- name: 'flakybot: flaky'
+- name: "flakybot: flaky"
   color: 86d9d7
   description: Tells the Flaky Bot not to close or comment on this issue.
 
-- name: 'flakybot: quiet'
+- name: "flakybot: quiet"
   color: 86d9d7
   description: Tells the Flaky Bot to comment less.
 
-- name: 'flakybot: issue'
+- name: "flakybot: issue"
   color: a9f9f7
   description: An issue filed by the Flaky Bot. Should not be added manually.
diff --git a/.github/trusted-contribution.yml b/.github/trusted-contribution.yml
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -16,24 +16,18 @@ name: "CodeQL"
 
 on:
   push:
-    branches: [ "main" ]
+    branches: ["main"]
   pull_request:
-    branches: [ "main" ]
+    branches: ["main"]
     paths-ignore:
-      - '**/*.md'
-      - '**/*.txt'
-  pull_request_target:
-    types: [labeled]
-    paths-ignore:
-      - '**/*.md'
-      - '**/*.txt'
+      - "**/*.md"
+      - "**/*.txt"
 
 # Declare default permissions as read only.
 permissions: read-all
 
 jobs:
   analyze:
-    if: "${{ github.event.action != 'labeled' || github.event.label.name == 'tests: run' }}"
     name: Analyze
     runs-on: ubuntu-latest
     permissions:
@@ -44,27 +38,24 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        language: [ 'javascript' ]
+        language: ["javascript"]
 
     steps:
-    - name: Checkout repository
-      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
-      with:
-        ref: ${{ github.event.pull_request.head.sha }}
-        repository: ${{ github.event.pull_request.head.repo.full_name }}
-
-    # Initializes the CodeQL tools for scanning.
-    - name: Initialize CodeQL
-      uses: github/codeql-action/init@b611370bb5703a7efb587f9d136a52ea24c5c38c # v3.25.11
-      with:
-        languages: ${{ matrix.language }}
-
-    # Autobuild attempts to build any compiled languages  (C/C++, C#, Go, or Java).
-    # If this step fails, then you should remove it and run the build manually
-    - name: Autobuild
-      uses: github/codeql-action/autobuild@b611370bb5703a7efb587f9d136a52ea24c5c38c # v3.25.11
-
-    - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@b611370bb5703a7efb587f9d136a52ea24c5c38c # v3.25.11
-      with:
-        category: "/language:${{matrix.language}}"
+      - name: Checkout repository
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+
+      # Initializes the CodeQL tools for scanning.
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@b611370bb5703a7efb587f9d136a52ea24c5c38c # v3.25.11
+        with:
+          languages: ${{ matrix.language }}
+
+      # Autobuild attempts to build any compiled languages  (C/C++, C#, Go, or Java).
+      # If this step fails, then you should remove it and run the build manually
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@b611370bb5703a7efb587f9d136a52ea24c5c38c # v3.25.11
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@b611370bb5703a7efb587f9d136a52ea24c5c38c # v3.25.11
+        with:
+          category: "/language:${{matrix.language}}"
diff --git a/.github/workflows/coverage.yml b/.github/workflows/coverage.yml
@@ -15,37 +15,14 @@
 name: Code Coverage
 on:
   pull_request:
-  pull_request_target:
-    types: [labeled]
 
 # Declare default permissions as read only.
 permissions: read-all
 
 jobs:
   coverage:
-    if: "${{ github.event.action != 'labeled' || github.event.label.name == 'tests: run' }}"
     runs-on: ubuntu-latest
-    permissions:
-      issues: write
-      pull-requests: write
     steps:
-      - name: Remove PR Label
-        if: "${{ github.event.action == 'labeled' && github.event.label.name == 'tests: run' }}"
-        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
-        with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          script: |
-            try {
-              await github.rest.issues.removeLabel({
-                name: 'tests: run',
-                owner: context.repo.owner,
-                repo: context.repo.repo,
-                issue_number: context.payload.pull_request.number
-              });
-            } catch (e) {
-              console.log('Failed to remove label. Another job may have already removed it!');
-            }
-
       - name: Checkout base branch
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
         with:

diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -16,24 +16,17 @@ name: Lint
 
 on:
   pull_request:
-  pull_request_target:
-    types: [labeled]
 
 # Declare default permissions as read only.
 permissions: read-all
 
 jobs:
   lint:
-    # run job on proper workflow event triggers (skip job for pull_request event from forks and only run pull_request_target for "tests: run" label)
-    if: "${{ (github.event.action != 'labeled' && github.event.pull_request.head.repo.full_name == github.event.pull_request.base.repo.full_name) || github.event.label.name == 'tests: run' }}"
     name: Lint
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
-        with:
-          ref: ${{ github.event.pull_request.head.sha }}
-          repository: ${{ github.event.pull_request.head.repo.full_name }}
 
       - name: Use Nodejs v18.x
         uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3
@@ -45,5 +38,3 @@ jobs:
 
       - name: Run Lint
         run: npm run lint
-
-