feat: Secure PR workflows by switching to pull_request_target with explicit head checkout and permission checks.

Author: jianyuan

.github/workflows/test.yml

@@ -4,9 +4,8 @@ name: Tests
 # This GitHub action runs your tests for each pull request and push.
 # Optionally, you can turn it on using a schedule for regular testing.
 on:
-  pull_request:
-    branches:
-      - main
+  pull_request_target:
+    types: [opened, synchronize]
     paths-ignore:
       - "README.md"
   push:
@@ -33,7 +32,22 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 5
     steps:
+      - id: check-access
+        if: github.event_name == 'pull_request_target'
+        uses: actions-cool/check-user-permission@v2
+        with:
+          require: write
+          username: ${{ github.triggering_actor }}
+      - name: Check User Permission
+        if: github.event_name == 'pull_request_target' && steps.check-access.outputs.require-result != 'true'
+        run: |
+          echo "User ${{ github.triggering_actor }} lacks the necessary rights on this repository."
+          echo "Their current access level: ${{ steps.checkAccess.outputs.user-permission }}"
+          echo "Initial trigger for this job: ${{ github.actor }}"
+          exit 1
       - uses: actions/checkout@v5
+        with:
+          ref: ${{ github.event.pull_request.head.sha || github.sha }}
       - uses: actions/setup-go@v6
         with:
           go-version-file: "go.mod"
@@ -48,7 +62,22 @@ jobs:
   generate:
     runs-on: ubuntu-latest
     steps:
+      - id: check-access
+        if: github.event_name == 'pull_request_target'
+        uses: actions-cool/check-user-permission@v2
+        with:
+          require: write
+          username: ${{ github.triggering_actor }}
+      - name: Check User Permission
+        if: github.event_name == 'pull_request_target' && steps.check-access.outputs.require-result != 'true'
+        run: |
+          echo "User ${{ github.triggering_actor }} lacks the necessary rights on this repository."
+          echo "Their current access level: ${{ steps.checkAccess.outputs.user-permission }}"
+          echo "Initial trigger for this job: ${{ github.actor }}"
+          exit 1
       - uses: actions/checkout@v5
+        with:
+          ref: ${{ github.event.pull_request.head.sha || github.sha }}
       - uses: actions/setup-go@v6
         with:
           go-version-file: "go.mod"
@@ -77,7 +106,22 @@ jobs:
         terraform:
           - "1.13.*"
     steps:
+      - id: check-access
+        if: github.event_name == 'pull_request_target'
+        uses: actions-cool/check-user-permission@v2
+        with:
+          require: write
+          username: ${{ github.triggering_actor }}
+      - name: Check User Permission
+        if: github.event_name == 'pull_request_target' && steps.check-access.outputs.require-result != 'true'
+        run: |
+          echo "User ${{ github.triggering_actor }} lacks the necessary rights on this repository."
+          echo "Their current access level: ${{ steps.checkAccess.outputs.user-permission }}"
+          echo "Initial trigger for this job: ${{ github.actor }}"
+          exit 1
       - uses: actions/checkout@v5
+        with:
+          ref: ${{ github.event.pull_request.head.sha || github.sha }}
       - uses: actions/setup-go@v6
         with:
           go-version-file: "go.mod"