From 007df73fe5edad83ebc7f4d8dccb33e8b2c2e587 Mon Sep 17 00:00:00 2001
From: Chuck Daniels <cjdaniels4@gmail.com>
Date: Wed, 18 Sep 2024 18:54:57 -0400
Subject: [PATCH] Allow maintainer to re-run int. tests for fork PRs

Fixes #810
---
 .github/workflows/integration-test.yml | 50 +++++++++++++++++++++++---
 1 file changed, 46 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/integration-test.yml b/.github/workflows/integration-test.yml
index cb013525..fba60ccc 100644
--- a/.github/workflows/integration-test.yml
+++ b/.github/workflows/integration-test.yml
@@ -2,6 +2,7 @@ name: Integration Tests
 
 on:
   pull_request:
+  pull_request_target:
   push:
     branches:
       - main
@@ -19,6 +20,25 @@ concurrency:
 
 jobs:
   integration-tests:
+    #
+    # This condition prevents DUPLICATE attempts to run integration tests for
+    # PRs coming from FORKS.
+    #
+    # When a PR originates from a fork, both a pull_request and a
+    # pull_request_target event are triggered.  This means that without a
+    # condition, GitHub will attempt to run integration tests TWICE, once for
+    # each event.
+    #
+    # To prevent this, this condition ensures that integration tests are run
+    # in only ONE of the following cases:
+    #
+    #   1. The event is NOT a pull_request.  This covers the case when the event
+    #      is a pull_request_target (i.e., a PR from a fork), as well as all
+    #      other cases listed in the "on" block at the top of this file.
+    #   2. The event IS a pull_request AND the base repo and head repo are the
+    #      same (i.e., the PR is NOT from a fork).
+    #
+    if: github.event_name != 'pull_request' || github.event.pull_request.base.repo.full_name == github.event.pull_request.head.repo.full_name
     runs-on: ubuntu-latest
     strategy:
       matrix:
@@ -26,13 +46,35 @@ jobs:
       fail-fast: false
 
     steps:
-      - uses: actions/checkout@v4
+      - name: Fetch user permission
+        id: permission
+        uses: actions-cool/check-user-permission@v2
+        with:
+          require: write
+          username: ${{ github.triggering_actor }}
+
+      - name: Check user permission
+        if: ${{ steps.permission.outputs.require-result == 'false' }}
+        # If the triggering actor does not have write permission (i.e., this is a
+        # PR from a fork), then we exit, otherwise most of the integration tests will
+        # fail because they require access to secrets.  In this case, a maintainer
+        # will need to make sure the PR looks safe, and if so, manually re-run the
+        # failed pull_request_target jobs.
+        run: |
+          echo "User **${{ github.triggering_actor }}** does not have permission to run integration tests." >> $GITHUB_STEP_SUMMARY
+          echo "A maintainer must perform a security review and re-run this build, if the code is safe." >> $GITHUB_STEP_SUMMARY
+          echo "See [Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests](https://securitylab.github.com/resources/github-actions-preventing-pwn-requests)." >> $GITHUB_STEP_SUMMARY
+          exit 1
+
+      - name: Checkout source
+        uses: actions/checkout@v4
 
-      - uses: ./.github/actions/install-pkg
+      - name: Install package with dependencies
+        uses: ./.github/actions/install-pkg
         with:
           python-version: ${{ matrix.python-version }}
 
-      - name: Test
+      - name: Run integration tests
         env:
           EARTHDATA_USERNAME: ${{ secrets.EDL_USERNAME }}
           EARTHDATA_PASSWORD: ${{ secrets.EDL_PASSWORD }}
@@ -40,7 +82,7 @@ jobs:
           EARTHACCESS_TEST_PASSWORD: ${{ secrets.EDL_PASSWORD }}
         run: ./scripts/integration-test.sh
 
-      - name: Upload coverage
+      - name: Upload coverage report
         # Don't upload coverage when using the `act` tool to run the workflow locally
         if: ${{ !env.ACT }}
         uses: codecov/codecov-action@v4