fix(gha): Fix labeling permissions for outsiders (#36287)
Permissions for workflows depend on a number of things.
For security reasons, the `pull_request` event when triggered
by users who don't have write permissions to the destination
repository doesn't have write permissions.
This meant that when non members created PRs into this repository,
the workflow failed. This was not the desired behavior.
(Especially as people who could write to the repository could
manually add labels to their own PRs already, so the labeler
workflow was presumably most important for people without write
access.)
See https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
If a workflow needs to be able to perform write operations for a
pull request where the requester might not have write access, then
GitHub offers a different event (pull_request_target) with different
defaults.
As the labeler workflow needs to be able to triage foreign PRs,
it needs to run from pull_request_target.
The labeler workflow only needs to be able to write to the pull
request, so we explicitly grant it that write permission.
It also needs to be able to read the repository (roughly the
checkout) in order to determine which labels to apply, so we
assign content read permissions.
By assigning these explicit permissions, most other permissions
are set to none.
The configuration used here is effectively equivalent to the
current defaults for the starter workflow for this action:
https://github.com/actions/starter-workflows/blob/1d9d6d7fb0a8a27ef98efbbfa9689cd14c906383/.github/workflows/labeler-triage.yml
Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>
Josh Soref