Add Sonar support for forked PRs

Author: danny-gallagher

.github/workflows/sonar.yml

@@ -3,7 +3,7 @@ name: Sonar
   push:
     branches:
       - main
-  pull_request:
+  pull_request_target:
     branches:
       - main
   schedule:
@@ -16,6 +16,11 @@ jobs:
       - uses: actions/checkout@v2
         with:
           fetch-depth: 0
+      - name: Check for external PR
+        if: ${{ !(contains(github.event.pull_request.labels.*.name, 'safe') ||
+          github.event.pull_request.head.repo.full_name == github.repository ||
+          github.event_name != 'pull_request_target') }}
+        run: echo "Unsecure PR, must be labelled with the 'safe' label, then run the workflow again" && exit 1
       - name: Set up Python 3.8
         uses: actions/setup-python@v2
         with:
@@ -33,4 +38,4 @@ jobs:
         uses: SonarSource/sonarcloud-github-action@master
         env:
           GITHUB_TOKEN: '${{ secrets.GITHUB_TOKEN }}'
-          SONAR_TOKEN: '${{ secrets.SONAR_TOKEN }}'
+          SONAR_TOKEN: '${{ secrets.SONAR_TOKEN }}'