* Updating sonar workflow file to fail on un-safe forked PRs

danny-gallagher · danny-gallagher · commit 2553d4c36fc8 · 2021-11-01T17:17:36.000Z
diff --git a/.github/workflows/sonar-scan.yml b/.github/workflows/sonar-scan.yml
@@ -11,13 +11,15 @@ name: Sonar
 jobs:
   build:
     runs-on: ubuntu-latest
-    if: contains(github.event.pull_request.labels.*.name, 'tests can be run') ||
-      github.event.pull_request.head.repo.full_name == github.repository ||
-      github.event_name != 'pull_request_target'
     steps:
       - uses: actions/checkout@v2
         with:
           fetch-depth: 0
+      - name: Check for external PR
+        if: ${{ !(contains(github.event.pull_request.labels.*.name, 'safe') ||
+          github.event.pull_request.head.repo.full_name == github.repository ||
+          github.event_name != 'pull_request_target') }}
+        run: echo "Unsecure PR, must be labelled with the 'safe' label, then run the workflow again" && exit 1
       - name: Set up JDK
         uses: actions/setup-java@v1
         with:
