rerun on fork simplification (#45)

* doc: comment that job changes only take affect when merged to main

Author: gilescope

.github/workflows/checkmarx.yaml

@@ -8,6 +8,14 @@ permissions:
   security-events: write     # to upload the scan results
 
 on:
+  # pull_request_target allows secrets to be read from fork PRs.
+  # DO NOT build or run checked out code from this job.
+  #
+  # Please note: Due to how this job is run, any changes to this
+  # job will only take affect when merged to main.
+  #
+  # From https://michaelheap.com/access-secrets-from-forks/
+  # Also see https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/
   pull_request_target:
     types: [opened, synchronize, reopened]
   push:
@@ -26,22 +34,10 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      # From https://michaelheap.com/access-secrets-from-forks/
-      # Also see https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/
-      - name: Get User Permission
-        id: checkAccess
-        uses: actions-cool/check-user-permission@7b90a27f92f3961b368376107661682c441f6103  #v2
-        with:
-          require: write
-          username: ${{ github.triggering_actor }}
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      - name: Check User Permission
-        if: steps.checkAccess.outputs.require-result == 'false'
+      - name: Check access
+        if: ${{ github.event.pull_request.author_association != 'COLLABORATOR' && github.event.pull_request.author_association != 'OWNER' }}
         run: |
-          echo "${{ github.triggering_actor }} does not have permissions on this repo."
-          echo "Current permission level is ${{ steps.checkAccess.outputs.user-permission }}"
-          echo "Job originally triggered by ${{ github.actor }}"
+          echo "This job needs re-running by someone with collaboration permissions."
           exit 1
 
       # This is dangerous without the first access check