Add "safe to test" label for CI

Author: Murderlon

.github/workflows/ci.yml

@@ -1,9 +1,19 @@
 name: CI
+# SECURITY NOTE: This workflow uses pull_request_target which has access to secrets.
+# This is needed because tests require access to external services with credentials.
+# `pull_request_target` will always run without manual approval, even if "Require approval for all external contributors" is enabled in the repo settings.
+# Therefore we implement a "safe to test" label that must be manually added once we have checked that the diff is safe.
+# For PRs from forks, secrets are only provided when the "safe to test" label is present.
+# This allows maintainers to safely test external contributions while preventing
+# malicious actors from accessing secrets.
 on:
   push:
     branches: [main]
+    paths-ignore:
+      - "**.md"
+      - ".changeset/**"
   pull_request_target:
-    types: [opened, synchronize, reopened]
+    types: [opened, synchronize, reopened, labeled]
     paths-ignore:
       - "**.md"
       - ".changeset/**"
@@ -14,10 +24,21 @@ on:
 
 concurrency: ${{ github.workflow }}--${{ github.ref }}
 
+permissions:
+  pull-requests: write
+
 jobs:
   main:
     name: Node.js 20
     runs-on: ubuntu-latest
+    # Only run tests with secrets if:
+    # 1. This is a push to main, OR
+    # 2. PR is from the same repository (trusted), OR
+    # 3. PR has the "safe to test" label (maintainer approved)
+    if: |
+      github.event_name == 'push' || 
+      github.event.pull_request.head.repo.full_name == github.repository ||
+      contains(github.event.pull_request.labels.*.name, 'safe to test')
 
     steps:
       - name: Checkout sources