This is an automated email from the ASF dual-hosted git repository.
github-bot pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/datafusion.git
The following commit(s) were added to refs/heads/main by this push:
new cbe5cb36ce ci: Harden labeler workflow, remove unnecessary checkout
from pull_request_target job (#20637)
cbe5cb36ce is described below
commit cbe5cb36ce3ad3cc56c7735c698770e00ff9c45f
Author: Kevin Liu <[email protected]>
AuthorDate: Wed Mar 4 17:41:22 2026 -0500
ci: Harden labeler workflow, remove unnecessary checkout from
pull_request_target job (#20637)
## Which issue does this PR close?
<!--
We generally require a GitHub issue to be filed for all bug fixes and
enhancements and this helps us generate change logs for our releases.
You can link an issue to this PR using the GitHub syntax. For example
`Closes #123` indicates that this PR will close issue #123.
-->
- Closes #.
## Rationale for this change
This PR removes the checkout step from the labeler workflow and keeps
labeling behavior unchanged.
<!--
Why are you proposing this change? If this is already explained clearly
in the issue then this section is not needed.
Explaining clearly why changes are proposed helps reviewers understand
your changes and offer better suggestions for fixes.
-->
## What changes are included in this PR?
<!--
There is no need to duplicate the description in the issue here but it
is sometimes worth providing a summary of the individual changes in this
PR.
-->
The workflow runs on `pull_request_target`, which has elevated repo
context. `actions/labeler` does not require a local checkout to work
with `configuration-path`; if the file is not on disk, it fetches it via
the GitHub API.
Removing checkout reduces attack surface and avoids exposing persisted
git credentials to subsequent steps.
## Are these changes tested?
Yes, tested on my forked.
I force pushed this change to my fork's `main` branch, then open a [test
PR](https://github.com/kevinjqliu/datafusion/pull/2) against it. The
[labeler github action ran successfully on my
fork](https://github.com/kevinjqliu/datafusion/actions/runs/22553132113/job/65326120264)
and labeled the PR
<!--
We typically require tests for all PRs in order to:
1. Prevent the code from being accidentally broken by subsequent changes
2. Serve as another way to document the expected behavior of the code
If tests are not included in your PR, please explain why (for example,
are they covered by existing tests)?
-->
## Are there any user-facing changes?
<!--
If there are user-facing changes then we may require documentation to be
updated before approving the PR.
-->
<!--
If there are any breaking changes to public APIs, please add the `api
change` label.
-->
No
---
.github/workflows/labeler.yml | 2 --
1 file changed, 2 deletions(-)
diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml
index 06c58cd802..a575b39577 100644
--- a/.github/workflows/labeler.yml
+++ b/.github/workflows/labeler.yml
@@ -39,8 +39,6 @@ jobs:
contents: read
pull-requests: write
steps:
- - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #
v6.0.2
-
- name: Assign GitHub labels
if: |
github.event_name == 'pull_request_target' &&
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
