From bad10a2764cfd4bfb4ba3ba46ed0ee6ce24897c9 Mon Sep 17 00:00:00 2001
From: Andy Wu <bwu2sfu@gmail.com>
Date: Tue, 16 Jan 2024 12:06:18 -0800
Subject: [PATCH] [security] delete the insecure workflow [feat] add CODEOWNERS
 [fix] pr triggered only from internal repo

---
 .github/CODEOWNERS                 |  1 +
 .github/workflows/external-pr.yaml | 43 ------------------------------
 .github/workflows/internal-pr.yaml |  1 +
 3 files changed, 2 insertions(+), 43 deletions(-)
 create mode 100644 .github/CODEOWNERS
 delete mode 100644 .github/workflows/external-pr.yaml

diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
new file mode 100644
index 00000000..33529d61
--- /dev/null
+++ b/.github/CODEOWNERS
@@ -0,0 +1 @@
+* @DonFungible @edisonz0718
diff --git a/.github/workflows/external-pr.yaml b/.github/workflows/external-pr.yaml
deleted file mode 100644
index 757983d8..00000000
--- a/.github/workflows/external-pr.yaml
+++ /dev/null
@@ -1,43 +0,0 @@
-name: External PR
-
-on: 
-  pull_request_target:
-    types: [opened, synchronize]
-
-jobs:
-  authorize:
-    if: github.event.pull_request.head.repo.full_name != github.repository
-    environment: 'external'
-    runs-on: ubuntu-latest
-    steps:
-      - run: true
-  build_and_test:
-    needs: authorize
-    uses: ./.github/workflows/build-and-test.yaml 
-    with: 
-      sha: ${{ github.event.pull_request.head.sha }}
-      ENVIRONMENT: 'alpha-sepolia'
-    secrets:
-      API_BASE_URL: ${{ secrets.API_BASE_URL }} 
-      STORY_PROTOCOL_CONTRACT: ${{ secrets.STORY_PROTOCOL_CONTRACT }}
-      IP_ASSET_REGISTRY_CONTRACT: ${{ secrets.IP_ASSET_REGISTRY_CONTRACT }} 
-      IP_ORG_CONTROLLER_CONTRACT: ${{ secrets.IP_ORG_CONTROLLER_CONTRACT }}
-      RELATIONSHIP_MODULE_CONTRACT: ${{ secrets.RELATIONSHIP_MODULE_CONTRACT }}
-      REGISTRATION_MODULE_CONTRACT: ${{ secrets.REGISTRATION_MODULE_CONTRACT }}
-      LICENSE_REGISTRY_CONTRACT: ${{ secrets.LICENSE_REGISTRY_CONTRACT }}
-      MODULE_REGISTRY_CONTRACT: ${{ secrets.MODULE_REGISTRY_CONTRACT }}
-      LICENSE_MODULE_CONTRACT: ${{ secrets.LICENSE_MODULE_CONTRACT }}
-      RPC_PROVIDER_URL: ${{ secrets.RPC_PROVIDER_URL }}
-      WALLET_PRIVATE_KEY: ${{ secrets.WALLET_PRIVATE_KEY }}
-      TEST_WALLET_ADDRESS: ${{ secrets.TEST_WALLET_ADDRESS }}
-      TEST_IPORG_ID: ${{ secrets.TEST_IPORG_ID }}
-      TEST_IPORG_ID_WITH_HOOK: ${{ secrets.TEST_IPORG_ID_WITH_HOOK }}
-      TEST_IPASSET_ID1: ${{ secrets.TEST_IPASSET_ID1 }}
-      TEST_IPASSET_ID2: ${{ secrets.TEST_IPASSET_ID2 }}
-      TEST_RELATIONSHIP_ID: ${{ secrets.TEST_RELATIONSHIP_ID }}
-      TEST_RELATIONSHIP_TYPE: ${{ secrets.TEST_RELATIONSHIP_TYPE }}
-      TEST_LICENSE_ID: ${{ secrets.TEST_LICENSE_ID }}
-      TEST_HOOK_ID: ${{ secrets.TEST_HOOK_ID }}
-      TEST_MODULE_ID: ${{ secrets.TEST_MODULE_ID }}
-      TEST_TRANSACTION_ID: ${{ secrets.TEST_TRANSACTION_ID }}
-  
\ No newline at end of file
diff --git a/.github/workflows/internal-pr.yaml b/.github/workflows/internal-pr.yaml
index bc93d2f1..491a6f9a 100644
--- a/.github/workflows/internal-pr.yaml
+++ b/.github/workflows/internal-pr.yaml
@@ -12,6 +12,7 @@ on:
 
 jobs:
   build_and_test:
+    if: ${{ github.event.pull_request.head.repo.full_name == github.repository }}
     uses: ./.github/workflows/build-and-test.yaml 
     with: 
       sha: ${{ github.event.pull_request.head.sha }}