ci: Convert to pull_request_target

stephanosio · stephanosio · commit 2fc95f5c1a04 · 2022-03-31T18:02:11.000+09:00
This commit converts the CI workflow to trigger on the
`pull_request_target` instead of `pull_request`, in order to allow
accessing secrets in the workflow.

Signed-off-by: Stephanos Ioannidis &lt;root@stephanos.io&gt;
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -5,7 +5,7 @@ name: CI
 on:
   push:
     branches: [ main ]
-  pull_request:
+  pull_request_target:
     branches: [ main ]
   workflow_call:
   workflow_dispatch:
@@ -51,7 +51,7 @@ on:
         - xtensa-sample_controller_zephyr-elf
 
 concurrency:
-  group: ${{ github.event_name == 'workflow_dispatch' && github.run_id || github.ref }}
+  group: ${{ github.event_name == 'workflow_dispatch' && github.run_id || github.head_ref || github.ref }}
   cancel-in-progress: ${{ github.event_name != 'workflow_dispatch' }}
 
 env:
@@ -75,6 +75,7 @@ jobs:
       uses: actions/checkout@v2
       with:
         fetch-depth: 0
+        persist-credentials: false
 
     - name: Generate version file
       run: |
@@ -91,7 +92,7 @@ jobs:
       id: generate-matrix
       run: |
         # Set build configurations
-        if [ "${{ github.event_name }}" == "pull_request" ]; then
+        if [ "${{ github.event_name }}" == "pull_request_target" ]; then
           # Set configurations based on the pull request labels
           ${{ contains(github.event.pull_request.labels.*.name, 'ci-linux-x86_64') }}   && build_host_linux_x86_64="y"
           ${{ contains(github.event.pull_request.labels.*.name, 'ci-linux-aarch64') }}  && build_host_linux_aarch64="y"
@@ -481,6 +482,7 @@ jobs:
       uses: actions/checkout@v2
       with:
         submodules: recursive
+        persist-credentials: false
 
     - name: Build crosstool-ng
       run: |
@@ -757,6 +759,7 @@ jobs:
       uses: actions/checkout@v2
       with:
         submodules: recursive
+        persist-credentials: false
 
     - name: Build Linux host tools
       if: startsWith(matrix.host.name, 'linux-')
@@ -857,6 +860,8 @@ jobs:
 
     - name: Check out source code
       uses: actions/checkout@v2
+      with:
+        persist-credentials: false
 
     - name: Build CMake package
       run: |
@@ -938,6 +943,7 @@ jobs:
       uses: actions/checkout@v2
       with:
         path: repository
+        persist-credentials: false
 
     - name: Download artifacts
       uses: actions/download-artifact@v2
