ci: split formal and build to fix posting comments

Separate formal from build so the event trigger can be set to
pull_request_target and fix posting comments. This event allows
workflow to do things like label or comment on pull requests from forks,
but it's not recommended for build jobs due to security implications.
The build jobs still depends on formal that's why it has a duplicate one
with less privileges.

It doesn't look like there's an easy and secure way to have a workflow
with lower privileges (e.g. build) depend on workflow with higher ones
(e.g. formal or labeler that modify a PR). There's only the reverse with
going from lower privileges to higher ones with workflow_run, for
example when posting build results after a build to a PR.

Either switching existing combined workflow to pull_request_target or
splitting it into formal and build and switching build to workflow_run
gives build unsafe privileges. Splitting and switching build to
workflow_dispatch requires a custom token. Posting comments from formal,
and listening to them in build requires a custom token as well. The
default GITHUB_TOKEN can't trigger workflows.

Fixes: 7658669 ("multi-arch-test-build: post formal summaries to PR")
Link: https://docs.github.com/en/actions/reference/workflows-and-actions/events-that-trigger-workflows#pull_request_target
Link: https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/
Signed-off-by: George Sapkin <[email protected]>

Author: GeorgeSapkin

.github/workflows/formal.yml

@@ -0,0 +1,38 @@
+name: Test Formalities
+
+on:
+  pull_request_target:
+
+permissions:
+  contents: read
+  pull-requests: write
+
+jobs:
+  formalities:
+    name: Test Formalities
+    uses: openwrt/actions-shared-workflows/.github/workflows/formal.yml@main
+    with:
+      post_comment: true
+
+  label_formality_status:
+    name: Add Formality Check Labels
+    runs-on: ubuntu-slim
+    needs: formalities
+    if: always()
+
+    steps:
+      - name: Add 'not following guidelines' label
+        if: needs.formalities.result == 'failure'
+        uses: buildsville/[email protected]
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          labels: "not following guidelines"
+          type: add
+
+      - name: Remove 'not following guidelines' label
+        if: needs.formalities.result == 'success'
+        uses: buildsville/[email protected]
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          labels: "not following guidelines"
+          type: remove

.github/workflows/labeler.yml

@@ -1,21 +1,19 @@
-name: 'Pull Request Labeler'
+name: Labeler
+
 on:
-  - pull_request_target
+  pull_request_target:
 
 permissions:
   contents: read
   pull-requests: write
 
 jobs:
   labeler:
-    permissions:
-      contents: read
-      pull-requests: write
-
-    name: Pull Request Labeler
+    name: Labeler
     runs-on: ubuntu-slim
     steps:
-      - uses: actions/labeler@v6
+      - name: Label pull request
+        uses: actions/labeler@v6
         with:
           repo-token: '${{ secrets.GITHUB_TOKEN }}'
           sync-labels: true

.github/workflows/multi-arch-test-build.yml

@@ -5,41 +5,8 @@ on:
 
 permissions:
   contents: read
-  pull-requests: write
 
 jobs:
-  formalities:
-    name: Test Formalities
-    uses: openwrt/actions-shared-workflows/.github/workflows/formal.yml@main
-    with:
-      post_comment: true
-
-  label_formality_status:
-    name: Add formality check labels
-    runs-on: ubuntu-slim
-    needs: formalities
-    if: always()
-    permissions:
-      pull-requests: write
-
-    steps:
-      - name: Add 'not following guidelines' label
-        if: needs.formalities.result == 'failure'
-        uses: buildsville/[email protected]
-        with:
-          token: ${{ secrets.GITHUB_TOKEN }}
-          labels: "not following guidelines"
-          type: add
-
-      - name: Remove 'not following guidelines' label
-        if: needs.formalities.result == 'success'
-        uses: buildsville/[email protected]
-        with:
-          token: ${{ secrets.GITHUB_TOKEN }}
-          labels: "not following guidelines"
-          type: remove
-
   build:
     name: Feeds Package Test Build
-    needs: formalities
     uses: openwrt/actions-shared-workflows/.github/workflows/multi-arch-test-build.yml@main