From 51afe257a39fc9c988d10cfa5392c08624df2c53 Mon Sep 17 00:00:00 2001
From: Josh Hunt <joshhunt@users.noreply.github.com>
Date: Mon, 24 Jun 2024 11:18:30 +0100
Subject: [PATCH] CI: Run auto-milestone on pull_request_target for forks
 (#89410)

* CI: Run auto-milestone on pull_request_target for forks

* remove milestone check
---
 .github/pr-checks.json               |  7 ------
 .github/workflows/auto-milestone.yml | 35 +++++++++-------------------
 2 files changed, 11 insertions(+), 31 deletions(-)

diff --git a/.github/pr-checks.json b/.github/pr-checks.json
index b97dbc137ec..3566f6a65df 100644
--- a/.github/pr-checks.json
+++ b/.github/pr-checks.json
@@ -1,11 +1,4 @@
 [
-  {
-    "type": "check-milestone",
-    "title": "Milestone Check",
-    "targetUrl": "https://github.com/grafana/grafana/blob/main/contribute/merge-pull-request.md#assign-a-milestone",
-    "success": "Milestone set",
-    "failure": "Milestone not set"
-  },
   {
     "type": "check-changelog",
     "title": "Changelog Check",
diff --git a/.github/workflows/auto-milestone.yml b/.github/workflows/auto-milestone.yml
index 22226f1158b..7b38cb0b01d 100644
--- a/.github/workflows/auto-milestone.yml
+++ b/.github/workflows/auto-milestone.yml
@@ -1,39 +1,26 @@
 name: Auto-milestone
 on:
-  pull_request:
+  pull_request_target:
     types:
       - opened
       - reopened
       - closed
+      - ready_for_review
 
+permissions:
+  pull-requests: write
+
+# Note: this action runs with write permissions on GITHUB_TOKEN even from forks
+# so it must not run untrusted code (such as checking out the pull request)
 jobs:
-  config:
-    runs-on: "ubuntu-latest"
-    outputs:
-      has-secrets: ${{ steps.check.outputs.has-secrets }}
-    steps:
-      - name: "Check for secrets"
-        id: check
-        shell: bash
-        run: |
-          if [ -n "${{ (secrets.GRAFANA_DELIVERY_BOT_APP_ID != '' && secrets.GRAFANA_DELIVERY_BOT_APP_PEM != '') || '' }}" ]; then
-            echo "has-secrets=1" >> "$GITHUB_OUTPUT"
-          fi
-
   main:
-    needs: config
-    if: needs.config.outputs.has-secrets
     runs-on: ubuntu-latest
+    if: github.event.pull_request.draft == false
     steps:
-      - name: "Generate token"
-        id: generate_token
-        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92
-        with:
-          app_id: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_ID }}
-          private_key: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_PEM }}
-
+      # Note: Github will not trigger other actions from this because it uses
+      # the GITHUB_TOKEN token
       - name: Run auto-milestone
         uses: grafana/grafana-github-actions-go/auto-milestone@main
         with:
           pr: ${{ github.event.pull_request.number }}
-          token: ${{ steps.generate_token.outputs.token }}
+          token: ${{ secrets.GITHUB_TOKEN }}