Skip to content

fix: run required labels on pull_request_target #151

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Kaiser-Wu wants to merge 1 commit into
base: main
Choose a base branch
from
+4 −2
Open

fix: run required labels on pull_request_target #151

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 4 additions & 2 deletions .github/workflows/required-labels.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,8 @@
name: Required Labels
on:
pull_request:
# Run on the base repository context so fork PRs can still post label reminders.
# This workflow does not check out or execute PR code; it only inspects PR metadata.
pull_request_target:
Copy link

@coderabbitai coderabbitai bot Mar 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify whether workflow actions are pinned to full commit SHAs.
# Expected: no matches after remediation.

rg -nP --type=yaml '^\s*-\s*uses:\s*[^@]+@(?!(?:[a-f0-9]{40})$).+' .github/workflows

Repository: coze-dev/coze-java

Length of output: 431

🏁 Script executed:

cat -n .github/workflows/required-labels.yml

Repository: coze-dev/coze-java

Length of output: 1035

Pin the action to a commit SHA to mitigate supply-chain risk.

This workflow uses pull_request_target with write permissions on line 5. The action at line 14 (mheap/github-action-required-labels@v5) is pinned to a mutable ref, which creates a supply-chain vulnerability. Pin to a full commit SHA instead.

Suggested fix 
-      - uses: mheap/github-action-required-labels@v5
+      - uses: mheap/github-action-required-labels@<full_commit_sha>
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/required-labels.yml at line 5, The workflow currently uses
the mutable tag mheap/github-action-required-labels@v5; replace that mutable ref
with a full commit SHA to pin the action and mitigate supply-chain risk. Locate
the step that references mheap/github-action-required-labels@v5 and update the
uses value to mheap/github-action-required-labels@<full-commit-sha> (obtain the
SHA from the action repo’s commit history or the release you intend to pin),
then commit the change so the workflow references the immutable commit SHA
instead of the v5 tag.

types: [opened, labeled, unlabeled, synchronize]
jobs:
label:
Expand All @@ -22,4 +24,4 @@ jobs:
chore
documentation
add_comment: true
message: "Requires label: feature, enhancement, fix, bugfix, bug, chore, documentation."
message: "Requires label: feature, enhancement, fix, bugfix, bug, chore, documentation."
Loading