From 689f2cd250445105e5b44ba22e3e85d90bb37bf3 Mon Sep 17 00:00:00 2001
From: Silvano Cerza <3314350+silvanocerza@users.noreply.github.com>
Date: Thu, 16 Feb 2023 16:02:41 +0100
Subject: [PATCH] Update docstring-labeler.yml workflow to safely run in PRs
 from forks (#4146)

---
 .github/utils/docstrings_checksum.py    |  8 +++++++-
 .github/workflows/docstring-labeler.yml | 15 +++++++++------
 2 files changed, 16 insertions(+), 7 deletions(-)

diff --git a/.github/utils/docstrings_checksum.py b/.github/utils/docstrings_checksum.py
index c8bf9ab4e..75eefb0b6 100644
--- a/.github/utils/docstrings_checksum.py
+++ b/.github/utils/docstrings_checksum.py
@@ -30,8 +30,14 @@ def docstrings_checksum(python_files: Iterator[Path]):
 
 
 if __name__ == "__main__":
+    import argparse
+
+    parser = argparse.ArgumentParser()
+    parser.add_argument("--root", help="Haystack root folder", required=True, type=Path)
+    args = parser.parse_args()
+
     # Get all Haystack and rest_api python files
-    root = Path(__file__).parent.parent.parent
+    root: Path = args.root.absolute()
     haystack_files = root.glob("haystack/**/*.py")
     rest_api_files = root.glob("rest_api/**/*.py")
 
diff --git a/.github/workflows/docstring-labeler.yml b/.github/workflows/docstring-labeler.yml
index 983c15493..b016a4c16 100644
--- a/.github/workflows/docstring-labeler.yml
+++ b/.github/workflows/docstring-labeler.yml
@@ -1,14 +1,11 @@
 name: Add label on docstrings edit
 
 on:
-  pull_request:
+  pull_request_target:
     paths:
       - "haystack/**/*.py"
       - "rest_api/**/*.py"
 
-permissions:
-  pull-requests: write
-
 jobs:
   label:
     runs-on: ubuntu-latest
@@ -19,6 +16,12 @@ jobs:
         with:
           ref: ${{ github.base_ref }}
 
+      - name: Copy file
+        # We copy our script after base ref checkout so we keep executing
+        # the same version even after checking out the HEAD ref.
+        # This is done to prevent executing malicious code in forks' PRs.
+        run: cp .github/utils/docstrings_checksum.py "${{ runner.temp }}/docstrings_checksum.py"
+
       - name: Setup Python
         uses: actions/setup-python@v4
         with:
@@ -27,7 +30,7 @@ jobs:
       - name: Get docstrings
         id: base-docstrings
         run: |
-          CHECKSUM=$(python .github/utils/docstrings_checksum.py)
+          CHECKSUM=$(python "${{ runner.temp }}/docstrings_checksum.py" --root "${{ env.GITHUB_WORKSPACE }}")
           echo "checksum=$CHECKSUM" >> "$GITHUB_OUTPUT"
 
       - name: Checkout HEAD commit
@@ -36,7 +39,7 @@ jobs:
       - name: Get docstrings
         id: head-docstrings
         run: |
-          CHECKSUM=$(python .github/utils/docstrings_checksum.py)
+          CHECKSUM=$(python "${{ runner.temp }}/docstrings_checksum.py" --root "${{ env.GITHUB_WORKSPACE }}")
           echo "checksum=$CHECKSUM" >> "$GITHUB_OUTPUT"
 
       - name: Check if we should label