Use pull_request_target event

GitHub security policy disallows sharing secrets with forks in public
repositories [1]. However, we need pull requests to push temporary
Docker images to a registry, which requires access to secrets unless we
use GitHub Packages.

To work around this, this commit switches to the `pull_request_target`
event, which works on the repository and commit that the pull request is
based on, but manually checks out and uses the code from the pull
request. This is a mild security hazard but should be OK, since
workflows on pull requests from new contributors need to be approved
anyways.

 [1]: https://securitylab.github.com/research/github-actions-preventing-pwn-requests/

.github/workflows/main.yml

@@ -8,7 +8,7 @@ on:
       - 'CHANGES.md'
       - 'contributions/*'
       - '.github/**/*'
-  pull_request:
+  pull_request_target:
   workflow_dispatch:
   schedule:
     - cron: '30 4 * * MON'
@@ -21,6 +21,9 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@v2
+        with:
+          repository: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name || github.repository }}
+          ref: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.ref || github.ref }}
       - name: Run ShellCheck
         uses: ludeeus/action-shellcheck@1.1.0
         env:
@@ -31,6 +34,9 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@v2
+        with:
+          repository: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name || github.repository }}
+          ref: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.ref || github.ref }}
       - name: Install additional packages
         run: |
           set -ex
@@ -46,6 +52,9 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@v2
+        with:
+          repository: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name || github.repository }}
+          ref: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.ref || github.ref }}
       - name: Install additional packages
         run: |
           set -ex
@@ -66,6 +75,9 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@v2
+        with:
+          repository: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name || github.repository }}
+          ref: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.ref || github.ref }}
       - name: Install additional packages
         run: |
           set -ex
@@ -83,6 +95,9 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@v2
+        with:
+          repository: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name || github.repository }}
+          ref: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.ref || github.ref }}
       - name: Install additional packages
         run: |
           set -ex
@@ -114,12 +129,14 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@v2
         with:
+          repository: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name || github.repository }}
+          ref: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.ref || github.ref }}
           fetch-depth: 0
           submodules: true
       - name: Build Docker image
         run: |
           make docker-image TEXLIVE_TAG=${{ matrix.texlive }} \
-                            NO_DOCUMENTATION=${{ github.event_name == 'pull_request' && github.event.pull_request.draft == true }}
+                            NO_DOCUMENTATION=${{ github.event_name == 'pull_request_target' && github.event.pull_request.draft == true }}
       - name: Login to GitHub Packages
         uses: docker/login-action@v2
         with:
@@ -151,6 +168,8 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@v2
         with:
+          repository: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name || github.repository }}
+          ref: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.ref || github.ref }}
           fetch-depth: 0
           submodules: true
       - name: Test Lua command-line interface
@@ -160,7 +179,7 @@ jobs:
           test "$RESULT" = '\markdownRendererDocumentBegin
           Hello \markdownRendererEmphasis{Markdown}! $a_x + b_x = c_x$\markdownRendererDocumentEnd'
       - name: Run unit tests
-        run: make FAIL_FAST=${{ github.ref != 'refs/heads/main' }} test
+        run: make FAIL_FAST=${{ github.event_name == 'pull_request_target' }} test
   publish-docker-image:
     name: Publish Docker image
     needs:
@@ -173,7 +192,7 @@ jobs:
           - TL2022-historic
           - latest
     runs-on: ubuntu-latest
-    if: github.ref == 'refs/heads/main'
+    if: github.event_name != 'pull_request_target' && github.ref == 'refs/heads/main'
     steps:
       - name: Checkout repository
         uses: actions/checkout@v2
@@ -201,7 +220,7 @@ jobs:
     runs-on: ubuntu-latest
     container:
       image: ghcr.io/witiko/markdown:${{ needs.build-docker-image.outputs[matrix.texlive] }}
-    if: github.ref == 'refs/heads/main'
+    if: github.event_name != 'pull_request_target' && github.ref == 'refs/heads/main'
     steps:
       - name: Checkout repository
         uses: actions/checkout@v2