ci: remove pull_request_target trigger (#613)

Author: jackwotherspoon

.github/labels.yml

@@ -15,60 +15,60 @@
 - name: duplicate
   color: ededed
   description: ""
-- name: 'type: bug'
+- name: "type: bug"
   color: db4437
   description: Error or flaw in code with unintended results or allowing sub-optimal usage patterns.
-- name: 'type: cleanup'
+- name: "type: cleanup"
   color: c5def5
   description: An internal cleanup or hygiene concern.
-- name: 'type: docs'
+- name: "type: docs"
   color: 0000A0
   description: Improvement to the documentation for an API.
-- name: 'type: feature request'
+- name: "type: feature request"
   color: c5def5
   description: ‘Nice-to-have’ improvement, new feature or different behavior or design.
-- name: 'type: process'
+- name: "type: process"
   color: c5def5
   description: A process-related concern. May include testing, release, or the like.
-- name: 'type: question'
+- name: "type: question"
   color: c5def5
   description: Request for information or clarification.
-- name: 'priority: p0'
+- name: "priority: p0"
   color: b60205
   description: Highest priority. Critical issue. P0 implies highest priority.
-- name: 'priority: p1'
+- name: "priority: p1"
   color: ffa03e
   description: Important issue which blocks shipping the next release. Will be fixed prior to next release.
-- name: 'priority: p2'
+- name: "priority: p2"
   color: fef2c0
   description: Moderately-important priority. Fix may not be included in next release.
-- name: 'priority: p3'
+- name: "priority: p3"
   color: ffffc7
   description: Desirable enhancement or fix. May not be included in next release.
 - name: do not merge
   color: d93f0b
   description: Indicates a pull request not ready for merge, due to either quality or timing.
-- name: 'autorelease: pending'
+- name: "autorelease: pending"
   color: ededed
   description: Release please needs to do its work on this.
-- name: 'autorelease: triggered'
+- name: "autorelease: triggered"
   color: ededed
   description: Release please has triggered a release for this.
-- name: 'autorelease: tagged'
+- name: "autorelease: tagged"
   color: ededed
   description: Release please has completed a release for this.
-- name: 'tests: run'
+- name: "tests: run"
   color: 3DED97
   description: Label to trigger Github Action tests.
-- name: 'tests: run-unit'
+- name: "tests: run-unit"
   color: 3DED97
   description: Label to trigger Github Action unit tests.
-- name: 'flakybot: flaky'
+- name: "flakybot: flaky"
   color: 86d9d7
   description: Tells the Flaky Bot not to close or comment on this issue.
-- name: 'flakybot: quiet'
+- name: "flakybot: quiet"
   color: 86d9d7
   description: Tells the Flaky Bot to comment less.
-- name: 'flakybot: issue'
+- name: "flakybot: issue"
   color: a9f9f7
   description: An issue filed by the Flaky Bot. Should not be added manually.

.github/trusted-contribution.yml

@@ -16,4 +16,4 @@ annotations:
   - type: label
     text: "tests: run-unit"
 
-trustedContributors: ['renovate-bot', 'gcf-merge-on-green[bot]']
+trustedContributors: ["renovate-bot", "gcf-merge-on-green[bot]"]

.github/workflows/codeql.yml

@@ -16,24 +16,18 @@ name: "CodeQL"
 
 on:
   push:
-    branches: [ "main" ]
+    branches: ["main"]
   pull_request:
-    branches: [ "main" ]
+    branches: ["main"]
     paths-ignore:
-      - '**/*.md'
-      - '**/*.txt'
-  pull_request_target:
-    types: [labeled]
-    paths-ignore:
-      - '**/*.md'
-      - '**/*.txt'
+      - "**/*.md"
+      - "**/*.txt"
 
 # Declare default permissions as read only.
 permissions: read-all
 
 jobs:
   analyze:
-    if: "${{ github.event.action != 'labeled' || github.event.label.name == 'tests: run' }}"
     name: Analyze
     runs-on: ubuntu-latest
     permissions:
@@ -44,33 +38,30 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        language: [ 'go' ]
+        language: ["go"]
 
     steps:
-    - name: Checkout repository
-      uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
-      with:
-        ref: ${{ github.event.pull_request.head.sha }}
-        repository: ${{ github.event.pull_request.head.repo.full_name }}
+      - name: Checkout repository
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
 
-    - name: Setup Go
-      uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
-      with:
-        go-version: "1.22"
-      if: ${{ matrix.language == 'go' }}
+      - name: Setup Go
+        uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
+        with:
+          go-version: "1.22"
+        if: ${{ matrix.language == 'go' }}
 
-    # Initializes the CodeQL tools for scanning.
-    - name: Initialize CodeQL
-      uses: github/codeql-action/init@a073c66b2accf653a511d88537804dcafa07812e # v2.25.10
-      with:
-        languages: ${{ matrix.language }}
+      # Initializes the CodeQL tools for scanning.
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@a073c66b2accf653a511d88537804dcafa07812e # v2.25.10
+        with:
+          languages: ${{ matrix.language }}
 
-    # Autobuild attempts to build any compiled languages  (C/C++, C#, Go, or Java).
-    # If this step fails, then you should remove it and run the build manually
-    - name: Autobuild
-      uses: github/codeql-action/autobuild@a073c66b2accf653a511d88537804dcafa07812e # v2.25.10
+      # Autobuild attempts to build any compiled languages  (C/C++, C#, Go, or Java).
+      # If this step fails, then you should remove it and run the build manually
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@a073c66b2accf653a511d88537804dcafa07812e # v2.25.10
 
-    - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@a073c66b2accf653a511d88537804dcafa07812e # v2.25.10
-      with:
-        category: "/language:${{matrix.language}}"
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@a073c66b2accf653a511d88537804dcafa07812e # v2.25.10
+        with:
+          category: "/language:${{matrix.language}}"

.github/workflows/tests-main.yaml

@@ -18,26 +18,25 @@ on: # at 5:10 UTC every day and on each push to main
     - cron: "10 5 * * *"
   push:
     branches:
-      - 'main'
+      - "main"
 permissions: read-all
 jobs:
   unit:
     name: unit tests
     runs-on: ubuntu-latest
     permissions:
-      contents: 'read'
-      id-token: 'write'
+      contents: "read"
+      id-token: "write"
     steps:
       - name: Checkout code
         uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
-      - id: 'auth'
+      - id: auth
         name: Authenticate to Google Cloud
         uses: google-github-actions/auth@3a3c4c57d294ef65efaaee4ff17b22fa88dd3c69 # v1.3.0
         with:
-          workload_identity_provider: ${{ secrets.PROVIDER_NAME }}
-          service_account: ${{ secrets.SERVICE_ACCOUNT }}
+          workload_identity_provider: ${{ vars.PROVIDER_NAME }}
+          service_account: ${{ vars.SERVICE_ACCOUNT }}
           access_token_lifetime: 600s
-          project_id: ${{ secrets.GOOGLE_CLOUD_PROJECT }}
       - name: Setup Go
         uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
         with:
@@ -66,42 +65,48 @@ jobs:
     name: e2e tests
     runs-on: ubuntu-latest
     permissions:
-      contents: 'read'
-      id-token: 'write'
+      contents: read
+      id-token: write
     steps:
       - name: Checkout code
         uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
-      - id: 'auth'
-        name: 'Authenticate to Google Cloud'
+      - id: auth
+        name: Authenticate to Google Cloud
         uses: google-github-actions/auth@3a3c4c57d294ef65efaaee4ff17b22fa88dd3c69 # v1.3.0
         with:
-          workload_identity_provider: ${{ secrets.PROVIDER_NAME }}
-          service_account: ${{ secrets.SERVICE_ACCOUNT }}
+          workload_identity_provider: ${{ vars.PROVIDER_NAME }}
+          service_account: ${{ vars.SERVICE_ACCOUNT }}
           access_token_lifetime: 600s
-          project_id: ${{ secrets.GOOGLE_CLOUD_PROJECT }}
-          create_credentials_file: true
-      - name: 'Set up Cloud SDK'
+      - id: secrets
+        name: Get secrets
+        uses: google-github-actions/get-secretmanager-secrets@dc4a1392bad0fd60aee00bb2097e30ef07a1caae # v2.1.3
+        with:
+          secrets: |-
+            NODEPOOL_SERVICEACCOUNT_EMAIL:${{ vars.GOOGLE_CLOUD_PROJECT }}/NODEPOOL_SERVICEACCOUNT_EMAIL
+            TFSTATE_STORAGE_BUCKET:${{ vars.GOOGLE_CLOUD_PROJECT }}/TFSTATE_STORAGE_BUCKET
+            WORKLOAD_ID_SERVICEACCOUNT_EMAIL:${{ vars.GOOGLE_CLOUD_PROJECT }}/WORKLOAD_ID_SERVICEACCOUNT_EMAIL
+      - name: Set up Cloud SDK
         uses: google-github-actions/setup-gcloud@e30db14379863a8c79331b04a9969f4c1e225e0b # v1.1.1
-      - name: 'Setup Go'
+      - name: "Setup Go"
         uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
         with:
           go-version: "1.22"
       - name: Set up QEMU
         uses: docker/setup-qemu-action@2b82ce82d56a2a04d2637cd93a637ae1b359c0a7 # v2.2.0
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@885d1462b80bc1c1c7f0b00334ad271f09369c55 # v2.10.0
-      - id: 'e2e'
-        name: 'Run E2E Tests'
+      - id: e2e
+        name: Run E2E Tests
         run: "./tools/e2e_test_job.sh"
         # specifying bash shell ensures a failure in a piped process isn't lost
         # by using `set -eo pipefail`
         shell: bash
         env:
           ENVIRONMENT_NAME: "ci-branch-main"
-          NODEPOOL_SERVICEACCOUNT_EMAIL: "${{secrets.NODEPOOL_SERVICEACCOUNT_EMAIL}}"
-          WORKLOAD_ID_SERVICEACCOUNT_EMAIL: "${{secrets.WORKLOAD_ID_SERVICEACCOUNT_EMAIL}}"
-          TFSTATE_STORAGE_BUCKET: "${{secrets.TFSTATE_STORAGE_BUCKET}}"
-          E2E_PROJECT_ID: "${{secrets.GOOGLE_CLOUD_PROJECT}}"
+          NODEPOOL_SERVICEACCOUNT_EMAIL: "${{ steps.secrets.outputs.NODEPOOL_SERVICEACCOUNT_EMAIL }}"
+          WORKLOAD_ID_SERVICEACCOUNT_EMAIL: "${{ steps.secrets.outputs.WORKLOAD_ID_SERVICEACCOUNT_EMAIL }}"
+          TFSTATE_STORAGE_BUCKET: "${{ steps.secrets.outputs.TFSTATE_STORAGE_BUCKET }}"
+          E2E_PROJECT_ID: "${{vars.GOOGLE_CLOUD_PROJECT}}"
       - name: Convert test output to XML
         if: ${{ (github.event_name == 'schedule' || github.event_name == 'push') && always() }}
         run: |

.github/workflows/tests.yaml

@@ -14,46 +14,17 @@
 
 name: tests
 on:
+  # Add labeled type to defaults
   pull_request:
-  pull_request_target:
-    types: [labeled]
+    types: [opened, synchronize, reopened, labeled]
 # Declare default permissions as read only.
 permissions: read-all
 jobs:
   unit:
     if: "${{ github.event.action != 'labeled' || github.event.label.name == 'tests: run' || github.event.label.name == 'tests: run-unit' }}"
     name: unit tests
     runs-on: ubuntu-latest
-    permissions:
-      issues: write
-      pull-requests: write
     steps:
-      - name: Remove PR Label
-        if: "${{ github.event.action == 'labeled' && (github.event.label.name == 'tests: run' || github.event.label.name == 'tests: run-unit') }}"
-        uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1
-        with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          script: |
-            try {
-              await github.rest.issues.removeLabel({
-                name: 'tests: run',
-                owner: context.repo.owner,
-                repo: context.repo.repo,
-                issue_number: context.payload.pull_request.number
-              });
-            } catch (e) {
-              console.log('Failed to remove label. Another job may have already removed it!');
-            }
-            try {
-              await github.rest.issues.removeLabel({
-                name: 'tests: run-unit',
-                owner: context.repo.owner,
-                repo: context.repo.repo,
-                issue_number: context.payload.pull_request.number
-              });
-            } catch (e) {
-              console.log('Failed to remove label. Another job may have already removed it!');
-            }
       - name: Setup Go
         uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
         with:
@@ -73,41 +44,42 @@ jobs:
     name: e2e tests
     runs-on: ubuntu-latest
     permissions:
-      contents: 'read'
-      id-token: 'write'
-      issues: write
-      pull-requests: write
+      contents: read
+      id-token: write
     steps:
       - name: Checkout code
         uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
-        with:
-          ref: ${{ github.event.pull_request.head.sha }}
-          repository: ${{ github.event.pull_request.head.repo.full_name }}
-      - id: 'auth'
+      - id: auth
         name: Authenticate to Google Cloud
         uses: google-github-actions/auth@3a3c4c57d294ef65efaaee4ff17b22fa88dd3c69 # v1.3.0
         with:
-          workload_identity_provider: ${{ secrets.PROVIDER_NAME }}
-          service_account: ${{ secrets.SERVICE_ACCOUNT }}
+          workload_identity_provider: ${{ vars.PROVIDER_NAME }}
+          service_account: ${{ vars.SERVICE_ACCOUNT }}
           access_token_lifetime: 600s
-          project_id: ${{ secrets.GOOGLE_CLOUD_PROJECT }}
-          create_credentials_file: true
+      - id: secrets
+        name: Get secrets
+        uses: google-github-actions/get-secretmanager-secrets@dc4a1392bad0fd60aee00bb2097e30ef07a1caae # v2.1.3
+        with:
+          secrets: |-
+            NODEPOOL_SERVICEACCOUNT_EMAIL:${{ vars.GOOGLE_CLOUD_PROJECT }}/NODEPOOL_SERVICEACCOUNT_EMAIL
+            TFSTATE_STORAGE_BUCKET:${{ vars.GOOGLE_CLOUD_PROJECT }}/TFSTATE_STORAGE_BUCKET
+            WORKLOAD_ID_SERVICEACCOUNT_EMAIL:${{ vars.GOOGLE_CLOUD_PROJECT }}/WORKLOAD_ID_SERVICEACCOUNT_EMAIL
       - name: Set up Cloud SDK
         uses: google-github-actions/setup-gcloud@e30db14379863a8c79331b04a9969f4c1e225e0b # v1.1.1
-      - name: 'Setup Go'
+      - name: Setup Go
         uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
         with:
           go-version: "1.22"
       - name: Set up QEMU
         uses: docker/setup-qemu-action@2b82ce82d56a2a04d2637cd93a637ae1b359c0a7 # v2.2.0
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@885d1462b80bc1c1c7f0b00334ad271f09369c55 # v2.10.0
-      - id: 'e2e'
-        name: 'Run E2E Tests'
+      - id: e2e
+        name: "Run E2E Tests"
         run: "./tools/e2e_test_job.sh"
         env:
           ENVIRONMENT_NAME: "ci-pr"
-          NODEPOOL_SERVICEACCOUNT_EMAIL: "${{secrets.NODEPOOL_SERVICEACCOUNT_EMAIL}}"
-          WORKLOAD_ID_SERVICEACCOUNT_EMAIL: "${{secrets.WORKLOAD_ID_SERVICEACCOUNT_EMAIL}}"
-          TFSTATE_STORAGE_BUCKET: "${{secrets.TFSTATE_STORAGE_BUCKET}}"
-          E2E_PROJECT_ID: "${{secrets.GOOGLE_CLOUD_PROJECT}}"
+          NODEPOOL_SERVICEACCOUNT_EMAIL: "${{ steps.secrets.outputs.NODEPOOL_SERVICEACCOUNT_EMAIL }}"
+          WORKLOAD_ID_SERVICEACCOUNT_EMAIL: "${{ steps.secrets.outputs.WORKLOAD_ID_SERVICEACCOUNT_EMAIL }}"
+          TFSTATE_STORAGE_BUCKET: "${{ steps.secrets.outputs.TFSTATE_STORAGE_BUCKET }}"
+          E2E_PROJECT_ID: "${{vars.GOOGLE_CLOUD_PROJECT}}"