Enable fork PRs CI to run codecov (#270)

For security reasons, fork PRs don't have access to secrets if we use `pull_request` in GH Actions CI spec, only if we use `pull_request_target`, which has its own security implications. See https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ Codecov status reporting in CI requires a token, so for fork PRs to be able to do so we migrated to `pull_request_target` with the caveat that MRs have to be labelled and have the `run ci` label applied, which can only be done by someone with triage access to the repo. PRs originating from the original repo shouldn't require a label. This should give us a good compromise in terms of security.
Mindera · May 21, 2024 · 16b0d17 · 16b0d17
1 parent 3f11627
commit 16b0d17
Showing 1 changed file with 21 additions and 1 deletion.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -6,7 +6,7 @@ on:
       - master
     tags:
       - '[0-9]+\.[0-9]+\.[0-9]+'
-  pull_request:
+  pull_request_target: # forks don't have access to secrets if we use `pull_request`, which is required for codecov
     branches:
       - master
 
@@ -24,6 +24,10 @@ jobs:
   env-details:
     name: Environment details
     runs-on: macos-14
+    if: |
+      github.event_name == 'push' ||
+      !github.event.pull_request.head.repo.fork ||
+      (github.event.pull_request.head.repo.fork && contains(github.event.pull_request.labels.*.name, 'run ci'))
     steps:
       - name: xcode version
         run: xcodebuild -version -sdk
@@ -39,6 +43,10 @@ jobs:
   build-test:
     name: Build and Test
     runs-on: macos-14
+    if: |
+      github.event_name == 'push' ||
+      !github.event.pull_request.head.repo.fork ||
+      (github.event.pull_request.head.repo.fork && contains(github.event.pull_request.labels.*.name, 'run ci'))
     env:
       WORKSPACE: Alicerce.xcworkspace
       SCHEME: Alicerce
@@ -133,6 +141,10 @@ jobs:
   swiftpm:
     name: SwiftPM Build
     runs-on: macos-14
+    if: |
+      github.event_name == 'push' ||
+      !github.event.pull_request.head.repo.fork ||
+      (github.event.pull_request.head.repo.fork && contains(github.event.pull_request.labels.*.name, 'run ci'))
     env:
       WORKSPACE: Alicerce.xcworkspace
       SCHEME: "Alicerce (SPM)"
@@ -203,6 +215,10 @@ jobs:
   cocoapods:
     name: CocoaPods Verification
     runs-on: macos-14
+    if: |
+      github.event_name == 'push' ||
+      !github.event.pull_request.head.repo.fork ||
+      (github.event.pull_request.head.repo.fork && contains(github.event.pull_request.labels.*.name, 'run ci'))
     steps:
       - name: git checkout
         uses: actions/checkout@v3
@@ -232,6 +248,10 @@ jobs:
   carthage:
     name: Carthage Verification
     runs-on: macos-14
+    if: |
+      github.event_name == 'push' ||
+      !github.event.pull_request.head.repo.fork ||
+      (github.event.pull_request.head.repo.fork && contains(github.event.pull_request.labels.*.name, 'run ci'))
     env:
       # Use Xcode 15.3 (latest) for Carthage to avoid iOS device/simulator version mismatches
       DEVELOPER_DIR: "/Applications/Xcode_15.3.app/Contents/Developer"