From dd344385850f4c23091a3445a3bc3e66a2a280a9 Mon Sep 17 00:00:00 2001
From: Laura Beatris <48022589+LauraBeatris@users.noreply.github.com>
Date: Tue, 3 Dec 2024 11:16:38 -0300
Subject: [PATCH] Do not use environment protection rule, rely on workflow run

---
 .github/workflows/ci.yml | 40 ++++++++++++++++++++++++++--------------
 1 file changed, 26 insertions(+), 14 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index bfde25c679..ed7d7d125a 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -4,6 +4,7 @@ on:
   workflow_dispatch:
   merge_group:
   pull_request_target:
+    types: [opened, synchronize]
     branches:
       - main
       - release/v4
@@ -13,22 +14,33 @@ concurrency:
   cancel-in-progress: true
 
 jobs:
-  check-approval:
-    name: Check approval for external contribution
+  # We must first check whether it is a external contribution, before processing to checkout the code and running jobs with access to secrets
+  check-permissions:
     runs-on: 'blacksmith-8vcpu-ubuntu-2204'
     steps:
-    - name: Verify if it's external contribution
-      run: if [[ "${{ github.event.pull_request.head.repo.fork }}" == "true" ]]; then echo "For security reasons, all pull requests from external forks need to be approved first before running any automated CI." && exit 1; else echo 'Skipping' && exit 0; fi
-
-  trigger-approval:
-    name: 'Trigger approval for external contribution'
-    runs-on: 'blacksmith-8vcpu-ubuntu-2204'
-    environment:
-      name: approve_external_contribution
-    if: ${{ github.event.pull_request.head.repo.fork }}
+      - name: Get User Permission
+        id: checkAccess
+        uses: actions-cool/check-user-permission@v2
+        with:
+          require: write
+          username: ${{ github.triggering_actor }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: Check User Permission
+        if: steps.checkAccess.outputs.require-result == 'false'
+        run: |
+          echo "${{ github.triggering_actor }} does not have permissions on this repo."
+          echo "Current permission level is ${{ steps.checkAccess.outputs.user-permission }}"
+          echo "Job originally triggered by ${{ github.actor }}"
+          exit 1
+      # This is dangerous without the first access check
+      - name: Checkout code
+        uses: actions/checkout@v3
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
 
   formatting-linting:
-    needs: [check-approval]
+    needs: [check-permissions]
     name: Formatting, linting & changeset checks
     runs-on: 'blacksmith-8vcpu-ubuntu-2204'
     timeout-minutes: ${{ vars.TIMEOUT_MINUTES_NORMAL && fromJSON(vars.TIMEOUT_MINUTES_NORMAL) || 10 }}
@@ -95,7 +107,7 @@ jobs:
           retention-days: 5
 
   unit-tests:
-    needs: [check-approval]
+    needs: [check-permissions]
     name: Unit Tests
     runs-on: 'blacksmith-8vcpu-ubuntu-2204'
     timeout-minutes: ${{ vars.TIMEOUT_MINUTES_NORMAL && fromJSON(vars.TIMEOUT_MINUTES_NORMAL) || 10 }}
@@ -147,7 +159,7 @@ jobs:
           retention-days: 5
 
   integration-tests:
-    needs: [check-approval]
+    needs: [check-permissions]
     name: Integration Tests
     runs-on: 'blacksmith-8vcpu-ubuntu-2204'
     timeout-minutes: ${{ vars.TIMEOUT_MINUTES_LONG && fromJSON(vars.TIMEOUT_MINUTES_LONG) || 15 }}