nsidc · chuckwondo · Sep 17, 2024 · Sep 17, 2024 · Sep 17, 2024 · mfisher87
diff --git a/.github/workflows/integration-test.yml b/.github/workflows/integration-test.yml
@@ -2,6 +2,11 @@ name: Integration Tests
 
 on:
   pull_request:
+  pull_request_target:
+    types:
+      - opened
+      - synchronize
+      - reopened
   push:
     branches:
       - main
@@ -30,7 +35,26 @@ jobs:
       fail-fast: false
 
     steps:
-      - uses: actions/checkout@v4
+      - name: Fetch user permission
+        if: ${{ github.event_name == 'pull_request_target' }}
+        id: permission
+        uses: actions-cool/check-user-permission@v2
+        with:
+          require: write
+          username: ${{ github.triggering_actor }}
+      - name: Check user permission
+        if: ${{ github.event_name == 'pull_request_target' && steps.permission.outputs.require-result == 'false' }}
+        # If the triggering actor does not have write permission (i.e., this is a
+        # PR from a fork), then we exit, otherwise most of the integration tests will
+        # fail because they require access to secrets.  In this case, a maintainer
+        # will need to make sure the PR looks safe, and if so, manually re-run the
+        # failed jobs.
+        run: |
+          echo "User ${{ github.triggering_actor }} does not have permission to run integration tests."
+          echo "A maintainer must perform a security review and re-run this build, if the code is safe."
-          echo "User ${{ github.triggering_actor }} does not have permission to run integration tests."
-          echo "A maintainer must perform a security review and re-run this build, if the code is safe."
+          echo "User ${{ github.triggering_actor }} does not have permission to run integration tests." | tee -a $GITHUB_OUTPUT
+          echo "A maintainer must perform a security review and re-run this build, if the code is safe (see https://securitylab.github.com/resources/github-actions-preventing-pwn-requests)." | tee -a $GITHUB_OUTPUT
+          echo "Re-run at ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}" | tee -a $GITHUB_OUTPUT
-          echo "User ${{ github.triggering_actor }} does not have permission to run integration tests."
-          echo "A maintainer must perform a security review and re-run this build, if the code is safe."
+          echo "User ${{ github.triggering_actor }} does not have permission to run integration tests." | tee -a $GITHUB_OUTPUT
+          echo "A maintainer must perform a security review and re-run this build, if the code is safe (see https://securitylab.github.com/resources/github-actions-preventing-pwn-requests)." | tee -a $GITHUB_OUTPUT
+          echo "Re-run at ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}" | tee -a $GITHUB_OUTPUT
+          exit 1
+      - name: Checkout source
+        uses: actions/checkout@v4
       - name: Set up Python
         uses: actions/setup-python@v5
         with: