You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
A small workflow is added to each repo that would like to use this composite action and it will also provide a configuration, by which the python script matches patterns to labels needing applied.
Reviewed the new auto-label-pr-sdlc composite action: action.yml, label-pr.py, and README.md. The action labels PRs from conventional-commit title prefixes and changed file paths, with add/replace modes, dry-run, and .gitignore-style negation. Input handling in action.yml correctly passes user-controlled values via environment variables and argv arrays (no shell interpolation), and gh calls use argument lists rather than shell strings, so command injection is not a concern. No blocking issues found.
Code Review Details
❓ : The README example workflow uses the pull_request trigger with pull-requests: write. For PRs from forks, GITHUB_TOKEN is read-only regardless of declared permissions, so gh pr edit / gh api PATCH would fail with 403. If this action is meant to label fork contributions, the trigger/token model may need revisiting; if it only targets same-repo branch PRs, no change is needed.
auto-label-pr-sdlc/README.md:54
Notes (no action required):
No test workflow (test-auto-label-pr-sdlc.yml) was added for this action; other actions in this repo follow that convention. Consider adding one for label-pr.py matching logic.
PR titles are attacker-controllable and are printed raw to the step log (label-pr.py:258); GitHub Actions interprets ::workflow-command:: sequences in output. Practical impact is low, but masking/escaping untrusted titles in logs would harden it.
Catch issues before they fail your Quality Gate with our IDE extension SonarQube for IDE
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
🎟️ Tracking
https://bitwarden.atlassian.net/browse/PM-34710
📔 Objective
To be able to create automated release notes, we need to categorize PRs by changes (bugfix, feature, dep-updates, etc).
I started with the example from the android repo: https://github.com/bitwarden/android/blob/main/.github/workflows/sdlc-label-pr.yml. As I wanted this workflow to be usable from all repos, it needed to be created here as a composite action. The majority of the work is done by label-pr.py.
label-pr.pyoriginates from https://github.com/bitwarden/android/blob/main/.github/scripts/label-pr.py, but got extended to allow a git like ignore syntax for file-paths.A small workflow is added to each repo that would like to use this composite action and it will also provide a configuration, by which the python script matches patterns to labels needing applied.