From e2593eeb1317aae36ace22e918d058da8d5c4fa3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andre=CC=81=20Pacheco=20Neves?= <andre.neves@mindera.com>
Date: Fri, 17 May 2024 13:48:20 +0100
Subject: [PATCH] Enable fork PRs CI to run codecov

For security reasons, fork PRs don't have access to secrets if we use
`pull_request` in GH Actions CI spec, only if we use
`pull_request_target`, which has its own security implications. See
https://securitylab.github.com/research/github-actions-preventing-pwn-requests/

Codecov status reporting in CI requires a token, so for fork PRs to
be able to do so we migrated to `pull_request_target` with the caveat
that MRs have to be labelled and have the `ready for ci` label applied,
which can only be done by someone with triage access to the repo.

This should give us a good compromise in terms of security.
---
 .github/workflows/ci.yml | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 99977eb..238f7e6 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -6,9 +6,10 @@ on:
       - master
     tags:
       - '[0-9]+\.[0-9]+\.[0-9]+'
-  pull_request:
+  pull_request_target: # forks don't have access to secrets if we use `pull_request`, which is required for codecov
     branches:
       - master
+    types: [labeled] # ensure PRs are labelled, which can only be done by users with triage access
 
 env:
   # https://github.com/actions/runner-images/blob/main/images/macos/macos-14-Readme.md#xcode
@@ -24,6 +25,7 @@ jobs:
   env-details:
     name: Environment details
     runs-on: macos-14
+    if: ${{ if: startsWith(github.ref, 'refs/tags/') || contains(github.event.pull_request.labels.*.name, 'ready for ci') }}
     steps:
       - name: xcode version
         run: xcodebuild -version -sdk
@@ -39,6 +41,7 @@ jobs:
   build-test:
     name: Build and Test
     runs-on: macos-14
+    if: ${{ if: startsWith(github.ref, 'refs/tags/') || contains(github.event.pull_request.labels.*.name, 'ready for ci') }}
     env:
       WORKSPACE: Alicerce.xcworkspace
       SCHEME: Alicerce
@@ -133,6 +136,7 @@ jobs:
   swiftpm:
     name: SwiftPM Build
     runs-on: macos-14
+    if: ${{ if: startsWith(github.ref, 'refs/tags/') || contains(github.event.pull_request.labels.*.name, 'ready for ci') }}
     env:
       WORKSPACE: Alicerce.xcworkspace
       SCHEME: "Alicerce (SPM)"
@@ -203,6 +207,7 @@ jobs:
   cocoapods:
     name: CocoaPods Verification
     runs-on: macos-14
+    if: ${{ if: startsWith(github.ref, 'refs/tags/') || contains(github.event.pull_request.labels.*.name, 'ready for ci') }}
     steps:
       - name: git checkout
         uses: actions/checkout@v3
@@ -232,6 +237,7 @@ jobs:
   carthage:
     name: Carthage Verification
     runs-on: macos-14
+    if: ${{ if: startsWith(github.ref, 'refs/tags/') || contains(github.event.pull_request.labels.*.name, 'ready for ci') }}
     env:
       # Use Xcode 15.3 (latest) for Carthage to avoid iOS device/simulator version mismatches
       DEVELOPER_DIR: "/Applications/Xcode_15.3.app/Contents/Developer"