Fix broken GitHub Actions workflows

[posquit0]

Background

• 400

• pull-request-labeler and welcome action are not working for PRs by outside contributors.
  • No permission to write to the repository

Problem Solving

• pull_request_target event type has read and write permission to the repository.
  • https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target

[OJFord]

Ah, noticed a gotcha in #403 - it won't run any of the workflows, including the one to add this welcome message, until manually approved.. Can that be set on a per-workflow basis?

[posquit0]

Ah, noticed a gotcha in #403 - it won't run any of the workflows, including the one to add this welcome message, until manually approved.. Can that be set on a per-workflow basis?

In general, GitHub doesn't allow the write action to the repository by PR from outside collaborators. This is especially true if the pull request author's arbitrary action code can be executed. The pull_request event triggers an action on the changed code base. On the other hand, the pull_request_target event is safe because it triggers an action in the base branch codebase, and therefore grants write permission to the repository by default.

[OJFord]

Yeah, that just seems a shame when it's just to add a message like this.

Seems to me it would be safe to be able to say 'run this specific workflow, as it is on master' (so you're asserting it's a safe workflow, doesn't execute anything the user has provided, and also not allowing the user to edit the workflow itself). But I don't think GitHub supports it.