use environments and pull_request_target

Author: AshleyDumaine

.github/workflows/build_test_ci.yml

@@ -4,9 +4,7 @@ on:
   push:
     branches:
       - main
-  pull_request:
-    branches:
-      - "*"
+  pull_request_target:
   workflow_dispatch:
 
 permissions:
@@ -15,7 +13,7 @@ permissions:
   actions: read
 
 concurrency:
-  group: build-test-ci-${{ github.ref }}
+  group: build-test-ci-${{ github.event.pull_request.number || github.ref_name }}
   cancel-in-progress: true
 
 jobs:
@@ -26,6 +24,8 @@ jobs:
       paths: ${{ steps.filter.outputs.changes }}
     steps:
       - uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
       - name: Harden Runner
         uses: step-security/harden-runner@v2
         with:
@@ -45,6 +45,8 @@ jobs:
     if: ${{ contains(fromJSON(needs.changes.outputs.paths), 'src') }}
     steps:
       - uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
       - name: Validate YAML file
         run: yamllint templates
 
@@ -72,6 +74,8 @@ jobs:
             raw.githubusercontent.com:443
 
       - uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
 
       - name: Set up Go
         uses: actions/setup-go@v5
@@ -99,6 +103,7 @@ jobs:
 
   e2e-test:
     needs: changes
+    environment: ${{ github.event.pull_request.head.repo.fork == true && 'prod-external' || 'prod' }}
     strategy:
       fail-fast: false
       matrix:
@@ -116,6 +121,7 @@ jobs:
 
   docker-build:
     runs-on: ubuntu-latest
+    environment: ${{ github.event.pull_request.head.repo.fork == true && 'prod-external' || 'prod' }}
     needs: changes
     if: ${{ contains(fromJSON(needs.changes.outputs.paths), 'src') }}
     steps:
@@ -140,6 +146,8 @@ jobs:
             storage.googleapis.com:443
 
       - uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
 
       - name: Docker cache
         uses: ScribeMD/[email protected]