wip: duplicate formal to fix posting comments

Duplicate formal so the event trigger can be set to pull_request_target
and fix posting comments. This event allows the workflow to do things
like label or comment on pull requests from forks, but it's not
recommended for build jobs due to security implications. The build jobs
still depends on formal that's why it has a duplicate one with less
privileges.

It doesn't look like there's an easy and secure way to have a workflow
with lower privileges (e.g. build) depend on workflow with higher ones
(e.g. formal or labeler that modify a PR). There's only the reverse with
going from lower privileges to higher ones with workflow_run, for
example when posting build results after a build to a PR.

Either switching existing combined workflow to pull_request_target or
splitting it into formal and build and switching build to workflow_run
gives build unsafe privileges. Splitting and switching build to
workflow_dispatch requires a custom token.

wip: switch to workflow_dispatch

Fixes: 7658669 ("multi-arch-test-build: post formal summaries to PR")
Link: https://docs.github.com/en/actions/reference/workflows-and-actions/events-that-trigger-workflows#pull_request_target
Link: https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/
Signed-off-by: George Sapkin <[email protected]>

Author: GeorgeSapkin

.github/workflows/formal.yml

@@ -0,0 +1,54 @@
+name: Test Formalities
+
+on:
+  pull_request_target:
+
+permissions:
+  contents: read
+  pull-requests: write
+
+jobs:
+  formalities:
+    name: Test Formalities
+    uses: openwrt/actions-shared-workflows/.github/workflows/formal.yml@main
+    with:
+      post_comment: true
+
+  label_formality_status:
+    name: Add Formality Status
+    runs-on: ubuntu-slim
+    needs: formalities
+    if: always()
+
+    steps:
+      - name: Trigger build
+        if: needs.formalities.result == 'success'
+        uses: actions/github-script@v8
+        with:
+          github-token: ${{ secrets.DEFAULT_TOKEN }}
+          script: |
+            await github.rest.actions.createWorkflowDispatch({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              workflow_id: 'multi-arch-test-build.yml',
+              ref: 'master',
+              inputs: {
+                pr_number: context.issue.number.toString(),
+              },
+            });
+
+      - name: Add 'not following guidelines' label
+        if: needs.formalities.result == 'failure'
+        uses: buildsville/[email protected]
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          labels: "not following guidelines"
+          type: add
+
+      - name: Remove 'not following guidelines' label
+        if: needs.formalities.result == 'success'
+        uses: buildsville/[email protected]
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          labels: "not following guidelines"
+          type: remove

.github/workflows/labeler.yml

@@ -1,21 +1,19 @@
-name: 'Pull Request Labeler'
+name: Labeler
+
 on:
-  - pull_request_target
+  pull_request_target:
 
 permissions:
   contents: read
   pull-requests: write
 
 jobs:
   labeler:
-    permissions:
-      contents: read
-      pull-requests: write
-
-    name: Pull Request Labeler
+    name: Labeler
     runs-on: ubuntu-slim
     steps:
-      - uses: actions/labeler@v6
+      - name: Label pull request
+        uses: actions/labeler@v6
         with:
           repo-token: '${{ secrets.GITHUB_TOKEN }}'
           sync-labels: true