name: 'Approved Fork Execution' on: pull_request: pull_request_target: jobs: run-tests: name: 'Run Tests' # This condition prevents duplicate runs for forks. # It runs for all pull_request_target events (forks) # and for pull_request events that are NOT from a fork. if: "github.event_name == 'pull_request_target' || github.event.pull_request.head.repo.full_name == github.repository" runs-on: 'ubuntu-latest' # For PRs from forks (pull_request_target), require approval via an environment. # For internal PRs (pull_request), run without approval. environment: "${{ github.event_name == 'pull_request_target' && 'e2e-on-fork' || null }}" steps: # For PRs from forks, we need to checkout the head of the PR from the fork's repo. - name: 'Checkout (fork)' if: "github.event_name == 'pull_request_target'" uses: 'actions/checkout@v4' with: ref: '${{ github.event.pull_request.head.sha }}' repository: '${{ github.event.pull_request.head.repo.full_name }}' # For internal PRs, the default checkout is sufficient. - name: 'Checkout (internal)' if: "github.event_name == 'pull_request'" uses: 'actions/checkout@v4' - name: 'Run test with secret' env: GEMINI_API_KEY: '${{ secrets.GEMINI_API_KEY }}' run: | echo "This step demonstrates using a secret." if [ -n "$GEMINI_API_KEY" ]; then echo "GEMINI_API_KEY is available." else echo "GEMINI_API_KEY is not available." # On pull_request from a fork, this would fail without pull_request_target if [[ "${{ github.event_name }}" == "pull_request" && "${{ github.event.pull_request.head.repo.full_name }}" != "${{ github.repository }}" ]]; then echo "This is a fork PR on a pull_request trigger, secrets are not available." else # This should not happen for internal PRs or approved fork PRs exit 1 fi fi