From 42e6729327f2eb4589ddec98c01517efd6a2ea39 Mon Sep 17 00:00:00 2001
From: Laura Beatris <48022589+LauraBeatris@users.noreply.github.com>
Date: Mon, 2 Dec 2024 16:31:21 -0300
Subject: [PATCH] Require environment rule to run CI steps

---
 .github/workflows/ci.yml | 45 ++++++++++++++++++----------------------
 1 file changed, 20 insertions(+), 25 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 69046b263cd..2579c8b8ebe 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -13,7 +13,19 @@ concurrency:
   cancel-in-progress: true
 
 jobs:
+  approve:
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Approve external contribution
+      run: echo For security reasons, all pull requests need to be approved first before running any automated CI.
+      if: ${{ github.event.pull_request.head.repo.fork }}
+
   formatting-linting:
+    needs: [approve]
+    environment:
+      name: Run CI for external contribution
+
     name: Formatting, linting & changeset checks
     runs-on: 'blacksmith-8vcpu-ubuntu-2204'
     timeout-minutes: ${{ vars.TIMEOUT_MINUTES_NORMAL && fromJSON(vars.TIMEOUT_MINUTES_NORMAL) || 10 }}
@@ -80,6 +92,10 @@ jobs:
           retention-days: 5
 
   unit-tests:
+    needs: [approve]
+    environment:
+      name: Run CI for external contribution
+
     name: Unit Tests
     runs-on: 'blacksmith-8vcpu-ubuntu-2204'
     timeout-minutes: ${{ vars.TIMEOUT_MINUTES_NORMAL && fromJSON(vars.TIMEOUT_MINUTES_NORMAL) || 10 }}
@@ -131,6 +147,10 @@ jobs:
           retention-days: 5
 
   integration-tests:
+    needs: [approve]
+    environment:
+      name: Run CI for external contribution
+
     name: Integration Tests
     runs-on: 'blacksmith-8vcpu-ubuntu-2204'
     timeout-minutes: ${{ vars.TIMEOUT_MINUTES_LONG && fromJSON(vars.TIMEOUT_MINUTES_LONG) || 15 }}
@@ -152,31 +172,6 @@ jobs:
             next-version: '15'
 
     steps:
-      # Skip integration tests from fork PRs to prevent secret exfiltration
-      - name: Get User Permission
-        id: checkAccess
-        uses: actions-cool/check-user-permission@v2
-        with:
-          require: write
-          username: ${{ github.triggering_actor }}
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      - name: Check User Permission
-        if: steps.checkAccess.outputs.require-result == 'false'
-        run: |
-          echo "${{ github.triggering_actor }} does not have permissions on this repo."
-          echo "Current permission level is ${{ steps.checkAccess.outputs.user-permission }}"
-          echo "Job originally triggered by ${{ github.actor }}"
-          exit 1
-
-      - name: Checkout Repo
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-          show-progress: false
-          # We must first verify the user permissions before checking out PR code
-          ref: ${{ github.event.pull_request.head.sha }}
-
       - name: Setup
         id: config
         uses: ./.github/actions/init-blacksmith