From 754822385ee6d7b901c51ee20fe068b71a3f18e6 Mon Sep 17 00:00:00 2001
From: Riaan Kleinhans <riaankleinhans@gmail.com>
Date: Sat, 2 May 2026 16:27:45 -0400
Subject: [PATCH] Refactor slash-commands workflow for improved clarity and
 security

Signed-off-by: Riaan Kleinhans <riaankleinhans@gmail.com>
---
 .github/workflows/slash-commands.yml | 27 ++++++++++++---------------
 1 file changed, 12 insertions(+), 15 deletions(-)

diff --git a/.github/workflows/slash-commands.yml b/.github/workflows/slash-commands.yml
index b23871dc..66b59903 100644
--- a/.github/workflows/slash-commands.yml
+++ b/.github/workflows/slash-commands.yml
@@ -1,8 +1,8 @@
 name: Slash Commands
 
-# Same pattern as cncf/toc/.github/workflows/slash-commands.yaml: dispatch from
-# issue_comment and process via repository_dispatch in one workflow (simpler to copy
-# to other repos). comment_body for processing uses the payload comment (like TOC).
+# Same arrangement as cncf/toc/.github/workflows/slash-commands.yaml: dispatch on
+# issue_comment, process on repository_dispatch; labeler via cncf/automation action
+# reference (no checkout). Bump the SHA when `.github/actions/labeler-action` changes.
 
 on:
   issue_comment:
@@ -20,7 +20,10 @@ on:
       - remove-area-command
       - remove-help-command
 
-permissions: {}
+permissions:
+  contents: read
+  issues: write
+  pull-requests: write
 
 concurrency:
   group: slash-command-${{ github.event.issue.number || github.event.client_payload.github.payload.issue.number || github.run_id }}
@@ -29,12 +32,10 @@ concurrency:
 jobs:
   dispatch-slash-command:
     name: Dispatch Slash Command
-    if: github.event_name == 'issue_comment' && github.event.comment.body
+    if: github.event_name == 'issue_comment'
     runs-on: ubuntu-latest
-    permissions:
-      contents: read
     steps:
-      - name: Dispatch slash commands
+      - name: Dispatch supported slash commands from issues and PRs
         uses: peter-evans/slash-command-dispatch@9bdcd7914ec1b75590b790b844aa3b8eee7c683a # v5
         with:
           token: ${{ secrets.SLASH_COMMANDS_PAT }}
@@ -58,19 +59,15 @@ jobs:
     name: Process Slash Command
     if: github.event_name == 'repository_dispatch'
     runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      issues: write
-      pull-requests: write
     steps:
       - name: Run labeler action for issue/PR command
-        uses: ./.github/actions/labeler-action
+        uses: cncf/automation/.github/actions/labeler-action@5251ad697eb04fc7b32d05accb8aeea472164294
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
           labels: https://raw.githubusercontent.com/cncf/automation/refs/heads/main/.github/labels.yaml
-          owner: ${{ github.event.client_payload.github.payload.repository.owner.login }}
-          repo: ${{ github.event.client_payload.github.payload.repository.name }}
+          owner: ${{ github.repository_owner }}
+          repo: ${{ github.event.repository.name }}
           issue_number: ${{ github.event.client_payload.github.payload.issue.number }}
           comment_body: ${{ github.event.client_payload.github.payload.comment.body }}
           changed_files: ""