From df96949b2c81e3b50fffc50ed33df3eb10bfa16a Mon Sep 17 00:00:00 2001
From: Helio Machado <0x2b3bfa0+git@googlemail.com>
Date: Fri, 4 Jun 2021 19:32:33 +0200
Subject: [PATCH] Allow access to secrets for external contributors (#574)

* Allow access to secrets for external contributors

...after requiring manual approval through GitHub Environments

* Protect lint job with GitHub Environments

* Move authorization to a separate job
---
 .github/workflows/test-deploy.yml | 21 ++++++++++++++++-----
 1 file changed, 16 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/test-deploy.yml b/.github/workflows/test-deploy.yml
index 7833ba152..05bf502a7 100644
--- a/.github/workflows/test-deploy.yml
+++ b/.github/workflows/test-deploy.yml
@@ -4,23 +4,31 @@ on:
     - cron: 0 0 * * *
   release:
     types: [published]
-  pull_request:
+  pull_request_target:
 jobs:
+  authorize:
+    environment:
+      ${{ (github.event_name == 'pull_request_target' &&
+      github.event.pull_request.head.repo.full_name != github.repository) &&
+      'external' || 'internal' }}
+    runs-on: ubuntu-latest
   lint:
+    needs: authorize
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v2
+        with:
+          ref: ${{ github.event.pull_request.head.sha || github.ref }}
       - uses: actions/setup-node@v2
       - run: npm ci
       - run: npm run lint
   test:
-    environment:
-      ${{ (github.event_name == 'pull_request' &&
-      github.event.pull_request.head.repo.full_name != github.repository) &&
-      'test-external' || 'test-internal' }}
+    needs: authorize
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v2
+        with:
+          ref: ${{ github.event.pull_request.head.sha || github.ref }}
       - uses: actions/setup-node@v2
       - uses: actions/setup-python@v2
       - run: pip install tensorboard
@@ -42,6 +50,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v2
+        with:
+          ref: ${{ github.event.pull_request.head.sha || github.ref }}
       - uses: actions/setup-node@v2
         with:
           registry-url: https://registry.npmjs.org
@@ -73,6 +83,7 @@ jobs:
     steps:
       - uses: actions/checkout@v2
         with:
+          ref: ${{ github.event.pull_request.head.sha || github.ref }}
           fetch-depth: 0
       - name: Metadata
         id: metadata