From 0b609752ceac894f3daaf34b61692a95097f48ea Mon Sep 17 00:00:00 2001
From: David Chavez <david@dcvz.io>
Date: Mon, 20 May 2024 22:55:59 +0200
Subject: [PATCH] CI: Enable secrets on forks with approval (#227)

---
 .github/workflows/validate.yml | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml
index 7445ef1..4988ab1 100644
--- a/.github/workflows/validate.yml
+++ b/.github/workflows/validate.yml
@@ -3,13 +3,22 @@ on:
   push:
     branches:
       - dev
-  pull_request:
+  pull_request_target:
     types: [opened, synchronize]
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 jobs:
+  authorize:
+    environment:
+      ${{ github.event_name == 'pull_request_target' &&
+      github.event.pull_request.head.repo.full_name != github.repository &&
+      'external' || 'internal' }}
+    runs-on: ubuntu-latest
+    steps:
+      - run: echo ✓
   build-unix:
+    needs: authorize
     runs-on: ubuntu-22.04
     strategy:
       matrix:
@@ -18,6 +27,7 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4
         with:
+          ref: ${{ github.event.pull_request.head.sha || github.ref }}
           submodules: recursive
       - name: ccache
         uses: hendrikmuhs/ccache-action@v1.2
@@ -87,6 +97,7 @@ jobs:
           name: Zelda64Recompiled-${{ runner.os }}-${{ matrix.type }}
           path: Zelda64Recompiled-${{ runner.os }}-${{ matrix.type }}.tar.gz
   build-windows:
+    needs: authorize
     runs-on: windows-latest
     strategy:
       matrix:
@@ -95,6 +106,7 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4
         with:
+          ref: ${{ github.event.pull_request.head.sha || github.ref }}
           submodules: recursive
       - name: ccache
         uses: hendrikmuhs/ccache-action@v1.2