From 0cfba0ad1277b2d34855ae6b902fbb235c5491eb Mon Sep 17 00:00:00 2001
From: Tom Stellard <tstellar@redhat.com>
Date: Wed, 18 Oct 2023 21:08:52 -0700
Subject: [PATCH] workflows: Unsplit pr-subscriber

This is essentially a revert of 1ed710836a77a5a29f3649da87f9f3e8ae3aa086.
It is safe to use the pull_request_target event for pr-subscriber, because it
does not checkout any code from the pull request branch.
---
 .github/workflows/pr-receive-label.yml  | 26 -------------
 .github/workflows/pr-subscriber-wait.py | 27 -------------
 .github/workflows/pr-subscriber.yml     | 52 +++----------------------
 3 files changed, 5 insertions(+), 100 deletions(-)
 delete mode 100644 .github/workflows/pr-receive-label.yml
 delete mode 100644 .github/workflows/pr-subscriber-wait.py

diff --git a/.github/workflows/pr-receive-label.yml b/.github/workflows/pr-receive-label.yml
deleted file mode 100644
index c9085c44b9836..0000000000000
--- a/.github/workflows/pr-receive-label.yml
+++ /dev/null
@@ -1,26 +0,0 @@
-# See https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
-
-name: PR Receive Label
-on:
-  pull_request:
-    types:
-      - labeled
-
-permissions:
-  contents: read
-
-jobs:
-  pr-subscriber:
-    runs-on: ubuntu-latest
-    if: github.repository == 'llvm/llvm-project'
-    steps:
-      - name: Store PR Information
-        run: |
-          mkdir -p ./pr
-          echo ${{ github.event.number }} > ./pr/NR
-          echo ${{ github.event.label.name }} > ./pr/LABEL
-
-      - uses: actions/upload-artifact@v3
-        with:
-          name: pr
-          path: pr/
diff --git a/.github/workflows/pr-subscriber-wait.py b/.github/workflows/pr-subscriber-wait.py
deleted file mode 100644
index 633f78c147707..0000000000000
--- a/.github/workflows/pr-subscriber-wait.py
+++ /dev/null
@@ -1,27 +0,0 @@
-import github
-import os
-import sys
-import time
-
-
-def needs_to_wait(repo):
-    workflow_name = os.environ.get("GITHUB_WORKFLOW")
-    run_number = os.environ.get("GITHUB_RUN_NUMBER")
-    print("Workflow Name:", workflow_name, "Run Number:", run_number)
-    for status in ["in_progress", "queued"]:
-        for workflow in repo.get_workflow_runs(status=status):
-            print("Looking at ", workflow.name, "#", workflow.run_number)
-            if workflow.name != workflow_name:
-                continue
-            if workflow.run_number < int(run_number):
-                print("Workflow {} still {} ".format(workflow.run_number, status))
-                return True
-    return False
-
-
-repo_name = os.environ.get("GITHUB_REPOSITORY")
-token = os.environ.get("GITHUB_TOKEN")
-gh = github.Github(token)
-repo = gh.get_repo(repo_name)
-while needs_to_wait(repo):
-    time.sleep(30)
diff --git a/.github/workflows/pr-subscriber.yml b/.github/workflows/pr-subscriber.yml
index 1fc3bfed3a66b..ef2ef7b9e4a35 100644
--- a/.github/workflows/pr-subscriber.yml
+++ b/.github/workflows/pr-subscriber.yml
@@ -1,22 +1,17 @@
 name: PR Subscriber
 
 on:
-  workflow_run:
-    workflows: ["PR Receive Label"]
+  pull_request_target:
     types:
-      - completed
+      - labeled
 
 permissions:
-  actions: read
   contents: read
 
 jobs:
   auto-subscribe:
     runs-on: ubuntu-latest
-    if: >
-      github.repository == 'llvm/llvm-project' &&
-      github.event.workflow_run.event == 'pull_request' &&
-      github.event.workflow_run.conclusion == 'success'
+    if: github.repository == 'llvm/llvm-project'
     steps:
       - name: Setup Automation Script
         run: |
@@ -26,47 +21,10 @@ jobs:
           chmod a+x github-automation.py
           pip install -r requirements.txt
 
-      - name: 'Wait for other actions'
-        # We can't use the concurrency tag for these jobs, because it will
-        # cancel pending jobs if another job is running.
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: |
-          python3 pr-subscriber-wait.py
-
-
-      # From: https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
-      # Updated version here: https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#using-data-from-the-triggering-workflow
-      - name: 'Download artifact'
-        uses: actions/github-script@v6
-        with:
-          script: |
-            const artifacts = await github.rest.actions.listWorkflowRunArtifacts({
-               owner: context.repo.owner,
-               repo: context.repo.repo,
-               run_id: context.payload.workflow_run.id
-            });
-            const matchArtifact = artifacts.data.artifacts.find((artifact) =>
-              artifact.name === 'pr'
-            );
-            const download = await github.rest.actions.downloadArtifact({
-               owner: context.repo.owner,
-               repo: context.repo.repo,
-               artifact_id: matchArtifact.id,
-               archive_format: 'zip'
-            });
-            const { writeFileSync } = require('node:fs');
-            writeFileSync('${{ github.workspace }}/pr.zip', Buffer.from(download.data));
-
-      - run: unzip pr.zip
-
       - name: Update watchers
-        # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable
         run: |
-          PR_NUMBER=$(cat NR)
-          LABEL_NAME=$(cat LABEL)
           ./github-automation.py \
             --token '${{ secrets.ISSUE_SUBSCRIBER_TOKEN }}' \
             pr-subscriber \
-            --issue-number "$PR_NUMBER" \
-            --label-name "$LABEL_NAME"
+            --issue-number "${{ github.event.number }}" \
+            --label-name "${{ github.event.label.name }}"