Enable fork PRs CI to run codecov

For security reasons, fork PRs don't have access to secrets if we use `pull_request` in GH Actions CI spec, only if we use `pull_request_target`, which has its own security implications. See https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ Codecov status reporting in CI requires a token, so for fork PRs to be able to do so we migrated to `pull_request_target` with the caveat that MRs have to be labelled and have the `ready for ci` label applied, which can only be done by someone with triage access to the repo. This should give us a good compromise in terms of security.
Mindera · May 17, 2024 · e2593ee · e2593ee
1 parent 3f11627
commit e2593ee
Showing 1 changed file with 7 additions and 1 deletion.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -6,9 +6,10 @@ on:
       - master
     tags:
       - '[0-9]+\.[0-9]+\.[0-9]+'
-  pull_request:
+  pull_request_target: # forks don't have access to secrets if we use `pull_request`, which is required for codecov
     branches:
       - master
+    types: [labeled] # ensure PRs are labelled, which can only be done by users with triage access
 
 env:
   # https://github.com/actions/runner-images/blob/main/images/macos/macos-14-Readme.md#xcode
@@ -24,6 +25,7 @@ jobs:
   env-details:
     name: Environment details
     runs-on: macos-14
+    if: ${{ if: startsWith(github.ref, 'refs/tags/') || contains(github.event.pull_request.labels.*.name, 'ready for ci') }}
     steps:
       - name: xcode version
         run: xcodebuild -version -sdk
@@ -39,6 +41,7 @@ jobs:
   build-test:
     name: Build and Test
     runs-on: macos-14
+    if: ${{ if: startsWith(github.ref, 'refs/tags/') || contains(github.event.pull_request.labels.*.name, 'ready for ci') }}
     env:
       WORKSPACE: Alicerce.xcworkspace
       SCHEME: Alicerce
@@ -133,6 +136,7 @@ jobs:
   swiftpm:
     name: SwiftPM Build
     runs-on: macos-14
+    if: ${{ if: startsWith(github.ref, 'refs/tags/') || contains(github.event.pull_request.labels.*.name, 'ready for ci') }}
     env:
       WORKSPACE: Alicerce.xcworkspace
       SCHEME: "Alicerce (SPM)"
@@ -203,6 +207,7 @@ jobs:
   cocoapods:
     name: CocoaPods Verification
     runs-on: macos-14
+    if: ${{ if: startsWith(github.ref, 'refs/tags/') || contains(github.event.pull_request.labels.*.name, 'ready for ci') }}
     steps:
       - name: git checkout
         uses: actions/checkout@v3
@@ -232,6 +237,7 @@ jobs:
   carthage:
     name: Carthage Verification
     runs-on: macos-14
+    if: ${{ if: startsWith(github.ref, 'refs/tags/') || contains(github.event.pull_request.labels.*.name, 'ready for ci') }}
     env:
       # Use Xcode 15.3 (latest) for Carthage to avoid iOS device/simulator version mismatches
       DEVELOPER_DIR: "/Applications/Xcode_15.3.app/Contents/Developer"