From 16b0d1704533f05a13dca5a8cb533f1c0db29d52 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andr=C3=A9=20Pacheco=20Neves?= <andre.neves@mindera.com>
Date: Tue, 21 May 2024 16:13:40 +0100
Subject: [PATCH] Enable fork PRs CI to run codecov (#270)

For security reasons, fork PRs don't have access to secrets if we use
`pull_request` in GH Actions CI spec, only if we use
`pull_request_target`, which has its own security implications. See
https://securitylab.github.com/research/github-actions-preventing-pwn-requests/

Codecov status reporting in CI requires a token, so for fork PRs to
be able to do so we migrated to `pull_request_target` with the caveat
that MRs have to be labelled and have the `run ci` label applied,
which can only be done by someone with triage access to the repo. PRs
originating from the original repo shouldn't require a label.

This should give us a good compromise in terms of security.
---
 .github/workflows/ci.yml | 22 +++++++++++++++++++++-
 1 file changed, 21 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 99977eb..ca56bbb 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -6,7 +6,7 @@ on:
       - master
     tags:
       - '[0-9]+\.[0-9]+\.[0-9]+'
-  pull_request:
+  pull_request_target: # forks don't have access to secrets if we use `pull_request`, which is required for codecov
     branches:
       - master
 
@@ -24,6 +24,10 @@ jobs:
   env-details:
     name: Environment details
     runs-on: macos-14
+    if: |
+      github.event_name == 'push' ||
+      !github.event.pull_request.head.repo.fork ||
+      (github.event.pull_request.head.repo.fork && contains(github.event.pull_request.labels.*.name, 'run ci'))
     steps:
       - name: xcode version
         run: xcodebuild -version -sdk
@@ -39,6 +43,10 @@ jobs:
   build-test:
     name: Build and Test
     runs-on: macos-14
+    if: |
+      github.event_name == 'push' ||
+      !github.event.pull_request.head.repo.fork ||
+      (github.event.pull_request.head.repo.fork && contains(github.event.pull_request.labels.*.name, 'run ci'))
     env:
       WORKSPACE: Alicerce.xcworkspace
       SCHEME: Alicerce
@@ -133,6 +141,10 @@ jobs:
   swiftpm:
     name: SwiftPM Build
     runs-on: macos-14
+    if: |
+      github.event_name == 'push' ||
+      !github.event.pull_request.head.repo.fork ||
+      (github.event.pull_request.head.repo.fork && contains(github.event.pull_request.labels.*.name, 'run ci'))
     env:
       WORKSPACE: Alicerce.xcworkspace
       SCHEME: "Alicerce (SPM)"
@@ -203,6 +215,10 @@ jobs:
   cocoapods:
     name: CocoaPods Verification
     runs-on: macos-14
+    if: |
+      github.event_name == 'push' ||
+      !github.event.pull_request.head.repo.fork ||
+      (github.event.pull_request.head.repo.fork && contains(github.event.pull_request.labels.*.name, 'run ci'))
     steps:
       - name: git checkout
         uses: actions/checkout@v3
@@ -232,6 +248,10 @@ jobs:
   carthage:
     name: Carthage Verification
     runs-on: macos-14
+    if: |
+      github.event_name == 'push' ||
+      !github.event.pull_request.head.repo.fork ||
+      (github.event.pull_request.head.repo.fork && contains(github.event.pull_request.labels.*.name, 'run ci'))
     env:
       # Use Xcode 15.3 (latest) for Carthage to avoid iOS device/simulator version mismatches
       DEVELOPER_DIR: "/Applications/Xcode_15.3.app/Contents/Developer"