workflows: Reconfigure pr-subscriber action so that it can access secrets

Secrets are not available for workflows triggered by PRs, so we need
to split the pr-subscriber action into two separate actions.  The
first will listen for new labels on PRs and the second will add
a comment with the team mention.

See https://securitylab.github.com/research/github-actions-preventing-pwn-requests/

Author: tstellar

.github/workflows/pr-receive-label.yml

@@ -0,0 +1,26 @@
+# See https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
+
+name: PR Receive Label
+on:
+  pull_request:
+    types:
+      - labeled
+
+permissions:
+  contents: read
+
+jobs:
+  pr-subscriber:
+    runs-on: ubuntu-latest
+    if: github.repository == 'llvm/llvm-project'
+    steps:
+      - name: Store PR Information
+        run: |
+          mkdir -p ./pr
+          echo ${{ github.event.number }} > ./pr/NR
+          echo ${{ github.event.label.name }} > ./pr/LABEL
+
+      - uses: actions/upload-artifact@v3
+        with:
+          name: pr
+          path: pr/

.github/workflows/pr-subscriber.yml

@@ -1,32 +1,61 @@
 name: PR Subscriber
 
 on:
-  pull_request:
+  workflow_run:
+    workflows: ["PR Receive Label"]
     types:
-      - labeled
+      - completed
 
 permissions:
   contents: read
 
 jobs:
   auto-subscribe:
     runs-on: ubuntu-latest
-    if: github.repository == 'llvm/llvm-project'
+    if: >
+      github.repository == 'llvm/llvm-project' &&
+      github.event.workflow_run.event == 'pull_request' &&
+      github.event.workflow_run.conclusion == 'success'
     steps:
+      # From: https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
+      # Updated version here: https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#using-data-from-the-triggering-workflow
+      - name: 'Download artifact'
+        uses: actions/github-script@v6
+        with:
+          script: |
+            var artifacts = await github.rest.actions.listWorkflowRunArtifacts({
+               owner: context.repo.owner,
+               repo: context.repo.repo,
+               run_id: context.payload.workflow_run.id,
+            });
+            var matchArtifact = artifacts.data.artifacts.filter((artifact) => {
+              return artifact.name == "pr"
+            })[0];
+            var download = await github.rest.actions.downloadArtifact({
+               owner: context.repo.owner,
+               repo: context.repo.repo,
+               artifact_id: matchArtifact.id,
+               archive_format: 'zip',
+            });
+            var fs = require('fs');
+            fs.writeFileSync('${{github.workspace}}/pr.zip', Buffer.from(download.data));
+
+      - run: unzip pr.zip
+
       - name: Setup Automation Script
         run: |
-          curl -O -L https://raw.githubusercontent.com/$GITHUB_REPOSITORY/$GITHUB_SHA/llvm/utils/git/github-automation.py
-          curl -O -L https://raw.githubusercontent.com/$GITHUB_REPOSITORY/$GITHUB_SHA/llvm/utils/git/requirements.txt
+          curl -O -L https://raw.githubusercontent.com/$GITHUB_REPOSITORY/main/llvm/utils/git/github-automation.py
+          curl -O -L https://raw.githubusercontent.com/$GITHUB_REPOSITORY/main/llvm/utils/git/requirements.txt
           chmod a+x github-automation.py
           pip install -r requirements.txt
 
       - name: Update watchers
         # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable
-        env:
-          LABEL_NAME: ${{ github.event.label.name }}
         run: |
+          PR_NUMBER=`cat NR`
+          LABEL_NAME=`cat LABEL`
           ./github-automation.py \
-          --token '${{ secrets.ISSUE_SUBSCRIBER_TOKEN }}' \
-          pr-subscriber \
-          --issue-number '${{ github.event.pull_request.number }}' \
-          --label-name "$LABEL_NAME"
+            --token '${{ secrets.ISSUE_SUBSCRIBER_TOKEN }}' \
+            pr-subscriber \
+            --issue-number "$PR_NUMBER" \
+            --label-name "$LABEL_NAME"