From e419e858aae46ef637c438d085fcee6de329fdb8 Mon Sep 17 00:00:00 2001
From: Jeremy Ary <jary@redhat.com>
Date: Tue, 5 Mar 2024 15:17:29 -0600
Subject: [PATCH] revert security label check for PR title validation & add
 explicit read-only permission instead

Signed-off-by: Jeremy Ary <jary@redhat.com>
---
 .github/workflows/lint_pr.yml | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/lint_pr.yml b/.github/workflows/lint_pr.yml
index 12f7182ce8e..d1aa7d16a3e 100644
--- a/.github/workflows/lint_pr.yml
+++ b/.github/workflows/lint_pr.yml
@@ -7,12 +7,13 @@ on:
       - edited
       - synchronize
 
+permissions:
+  # read-only perms specified due to use of pull_request_target in lieu of security label check
+  pull-requests: read
+
 jobs:
   validate-title:
-    # when using pull_request_target, all jobs MUST have this if check for 'ok-to-test' or 'approved' for security purposes.
     if:
-      ((github.event.action == 'labeled' && (github.event.label.name == 'approved' || github.event.label.name == 'lgtm' || github.event.label.name == 'ok-to-test')) ||
-      (github.event.action != 'labeled' && (contains(github.event.pull_request.labels.*.name, 'ok-to-test') || contains(github.event.pull_request.labels.*.name, 'approved') || contains(github.event.pull_request.labels.*.name, 'lgtm')))) &&
       github.repository == 'feast-dev/feast'
     name: Validate PR title
     runs-on: ubuntu-latest