Test CI is failing for external contributors

[benoit74]

Currently, test CI is using the pull_request trigger. However, with this trigger the secrets are not populated when the PR author is external to the repository.

This is done on purpose for security reasons: https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/

Many persons on the internet suggest to use pull_request_target, but according to a rapid oversight of github securitylab article, this is only a workaround with does not help with security at all.

The proper solution seems to separate the workflow in two:

• existing workflow will only publish the coverage.xml as an artifact
• a new workflow will be responsible to publish this coverage.xml

Seems pretty simple to implement, but to be confirmed (I skimmed through github article way too fast) and tested of course.

[rgaudin]

Indeed!

For use cases where there's more to protect than coverage upload, we use github deployments with validations (to be seen in kiwix/apple)