gha: Set ci-on-push to run on pull_request_target

This is less secure than running the PR on `pull_request`, and will require using an additional `ok-to-test` label to make sure someone deliverately ran the actions coming from a forked repo. Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
2025-05-01 21:24:36 +00:00 · 2023-04-03 18:16:52 +02:00 · 2023-04-03 18:16:52 +02:00 · 3215860a47
commit 3215860a47
parent d17dfe4cdd
1 changed files with 9 additions and 1 deletions
--- a/.github/workflows/ci-on-push.yaml
+++ b/.github/workflows/ci-on-push.yaml
@ -1,14 +1,21 @@
 name: Kata Containers CI
 on:
-  pull_request
+  pull_request_target:
+    types:
+      - opened
+      - reopened
+      - labeled
+      - synchronize

 jobs:
  build-kata-static-tarball-amd64:
+    if: contains(github.event.pull_request.labels.*.name, 'ok-to-test')
    uses: ./.github/workflows/build-kata-static-tarball-amd64.yaml
    with:
      tarball-suffix: -${{ github.event.pull_request.number}}-${{ github.sha }}

  publish-kata-deploy-payload-amd64:
+    if: contains(github.event.pull_request.labels.*.name, 'ok-to-test')
    needs: build-kata-static-tarball-amd64
    uses: ./.github/workflows/publish-kata-deploy-payload-amd64.yaml
    with:
@ -20,6 +27,7 @@ jobs:
    secrets: inherit

  run-k8s-tests-on-aks:
+    if: contains(github.event.pull_request.labels.*.name, 'ok-to-test')
    needs: publish-kata-deploy-payload-amd64
    uses: ./.github/workflows/run-k8s-tests-on-aks.yaml
    with: