Updated PR-audit flow with label (#41)

agrasth · web-flow · commit 84d75be4340b · 2025-12-18T02:26:40.000+05:30
diff --git a/.github/workflows/security-scan.yml b/.github/workflows/security-scan.yml
@@ -4,7 +4,7 @@ on:
   push:
     branches: [ main, master ]
   pull_request_target:
-    types: [ opened, synchronize ]
+    types: [ labeled ]
   schedule:
     - cron: '0 9 * * 1'  # Weekly on Monday at 9 AM UTC
 
@@ -15,6 +15,7 @@ permissions:
 
 jobs:
   jfrog-audit:
+    if: github.event_name == 'push' || contains(github.event.pull_request.labels.*.name, 'safe to test')
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
@@ -41,3 +42,15 @@ jobs:
       - name: Run Tests
         run: mvn clean test -B
 
+      - name: Remove label
+        if: always() && github.event_name == 'pull_request_target'
+        uses: actions/github-script@v7
+        with:
+          script: |
+            github.rest.issues.removeLabel({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: context.issue.number,
+              name: 'safe to test'
+            })
+
