From 558bea84d435f7b0cd10a775c6eb65478e5bec63 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jaroslav=20Loba=C4=8Devski?= <jarlob@github.com>
Date: Thu, 16 May 2024 10:56:01 +0200
Subject: [PATCH] Create label_actor.yml

---
 .../CWE-367/.github/workflows/label_actor.yml   | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)
 create mode 100644 ql/test/query-tests/Security/CWE-367/.github/workflows/label_actor.yml

diff --git a/ql/test/query-tests/Security/CWE-367/.github/workflows/label_actor.yml b/ql/test/query-tests/Security/CWE-367/.github/workflows/label_actor.yml
new file mode 100644
index 00000000000..1debaecf97d
--- /dev/null
+++ b/ql/test/query-tests/Security/CWE-367/.github/workflows/label_actor.yml
@@ -0,0 +1,17 @@
+# Making Label gates the only ones bypassable with TOCTOU races since actor or association ones should not be bypassable
+name: Label Trigger Test
+on:
+  pull_request_target:
+    types: [labeled]
+    branches: [main]
+
+jobs:
+  integration-tests:
+    runs-on: ubuntu-latest
+    if: github.repository_owner == 'npm' && github.actor == 'dependabot[bot]'
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.head.ref }}
+          repository: ${{ github.event.pull_request.head.repo.full_name }}
+      - run: bash label_example/tests.sh