Merge pull request #2722 from evidence-dev/ci/fix-chromatic-trigger

Run Chromatic on correct ref, require approval before running `pull_request_target` actions

.github/workflows/chromatic.yml

@@ -1,17 +1,19 @@
 name: 'Chromatic'
 
 on:
-  push:
   pull_request_target:
 
 jobs:
+  external-pr-action-approval:
+    uses: ./.github/workflows/external-pr-action-approval.yml
   chromatic:
+    needs: external-pr-action-approval
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
         with:
-          fetch-depth: 0
+          ref: ${{ github.event.pull_request.head.sha }}
       - uses: pnpm/[email protected]
         with:
           version: 8.6.9

.github/workflows/external-pr-action-approval.yml

@@ -0,0 +1,12 @@
+# https://datachain.ai/blog/testing-external-contributions-using-github-actions-secrets
+
+on:
+  workflow_call:
+
+jobs:
+  external-pr-action-approval:
+    name: 'External PR Action Approval'
+    environment: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name != github.repository && 'Approval required to run action on external PR' || '' }}
+    runs-on: ubuntu-latest
+    steps:
+      - run: true

.github/workflows/tests.yml

@@ -6,7 +6,7 @@ on:
 jobs:
   Tests-sources:
     runs-on: ${{ matrix.os }}
-    if: ${{ github.triggering_actor == 'archiewood' || github.triggering_actor == 'mcrascal' || github.triggering_actor == 'ud3sh' || github.triggering_actor == 'hughess' || github.triggering_actor == 'winterhart' || github.triggering_actor == 'itsmebriand' || github.triggering_actor == 'kwongz' || github.triggering_actor == 'zachstence' || github.triggering_actor == 'csjh'}}
+    needs: ./.github/workflows/external-pr-action-approval.yml
     timeout-minutes: 20
 
     # Conditional Strategy logic from https://github.com/orgs/community/discussions/26253#discussioncomment-3250989