Use pull_request_target instead of pull_request

The pull_request didn't allowed us to run a CI for external
contributions due to access restriction to secrets. The
pull_request_target should allow it. However a new gating mechanism is
need to prevent attackers from leaking a secrets.

This commit adds a new gated environment that is required for PR coming
from forks.

Signed-off-by: Ales Raszka <araszka@redhat.com>

Author: Allda

.github/workflows/build-and-test.yml

@@ -5,7 +5,7 @@ on:  # yamllint disable-line rule:truthy
   push:
     branches:
       - main
-  pull_request:
+  pull_request_target:
     types: [opened, synchronize, reopened, labeled]
   workflow_dispatch:
 
@@ -17,6 +17,8 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        with:
+          ref: ${{ github.event.pull_request.head.sha || github.sha }}
 
       - name: Set up PDM
         uses: pdm-project/setup-pdm@94a823180e06fcde4ad29308721954a521c96ed0 # v4.4
@@ -45,6 +47,7 @@ jobs:
   build:
     name: Build and push image
     runs-on: ubuntu-latest
+    environment: ${{ github.event.pull_request.head.repo.fork && 'build-and-test' || '' }}
 
     steps:
       - name: Set variables
@@ -56,6 +59,8 @@ jobs:
             echo "tags=${{ github.sha }}">> $GITHUB_OUTPUT
           fi
       - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        with:
+          ref: ${{ github.event.pull_request.head.sha || github.sha }}
 
       - name: Build Image
         id: build-image
@@ -95,6 +100,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        with:
+          ref: ${{ github.event.pull_request.head.sha || github.sha }}
 
       - name: Prepare
         id: prepare

README.md

@@ -212,6 +212,20 @@ running OCP cluster and requires some resources a tests are execute only when
 workflow.
 
 All PRs should pass a tests before merging.
+
+### CI/CD for external contributors
+The repository contains Github Actions workflows that automatically run all
+CI steps including linting, building and testing the operator pipelines.
+
+In case of a pull request from a forked repository the tests are not executed
+automatically due to security reasons. To run the tests an owner of the repository
+must review the pull request to make sure it doesn't contain any malicious code
+then approve the `build-and-test` workflow environment.
+
+The manuall approval is not needed for contributors who have write access to the
+repository and not using a forked repository.
+
+
 ## Additional Documentation
 
 - [OpenShift cluster configuration](docs/cluster-config.md)