chore: prevent unauthed PR runs

Author: Dennor

.github/workflows/build.yaml

@@ -2,6 +2,10 @@ name: build
 on:
   workflow_call:
     inputs:
+      ref:
+        required: false
+        type: string
+        default: ""
       push-image:
         required: false
         type: boolean
@@ -21,6 +25,8 @@ jobs:
       packages: write
     steps:
       - uses: actions/checkout@v4
+        with:
+          ref: ${{ inputs.ref || github.ref }}
       - uses: nixbuild/nix-quick-install-action@v34
         with:
           nix_conf: |

.github/workflows/pr-unlabel.yaml

@@ -0,0 +1,15 @@
+name: pr-unlabel
+on:
+  pull_request_target:
+    types: [synchronize]
+    branches:
+      - main
+jobs:
+  remove-safe-label:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Remove safe-to-build label
+        run: gh pr edit ${{ github.event.pull_request.number }} --remove-label "safe-to-build" --repo ${{ github.repository }}
+        env:
+          GH_TOKEN: ${{ github.token }}
+        continue-on-error: true

.github/workflows/pr.yaml

@@ -1,11 +1,14 @@
 name: pr
 on:
-  pull_request:
+  pull_request_target:
+    types: [labeled]
     branches:
       - main
 jobs:
   check-pr:
+    if: github.event.label.name == 'safe-to-build'
     uses: ./.github/workflows/build.yaml
     with:
+      ref: ${{ github.event.pull_request.head.sha }}
       push-image: false
       create-release: false