slackapi · zimeg · Dec 2, 2023 · Nov 17, 2023 · Nov 17, 2023 · Nov 17, 2023
diff --git a/.github/maintainers_guide.md b/.github/maintainers_guide.md
@@ -22,6 +22,12 @@ When testing locally, ensure at least linting and unit tests pass by running `np
 Additionally, sending a PR is highly recommended with every change as there are several GitHub
 Actions jobs that execute what are effectively integration tests for this GitHub Action.
 
+#### Checks on PRs
+
+Actions that run the integration tests on PRs from a fork will require approval before running.
+These checks use stored secrets so the changes should be reviewed before approving the workflow to
+avoid accidently leaking tokens!
+
 ### Releasing
 
 * Check the status of this project's GitHub Milestone to be released for issues that should be shipped with the release.

diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -1,6 +1,7 @@
 name: Tests
 on:
-  pull_request:
+  pull_request_target:
+    types: [opened, synchronize]
   push:
     branches:
       - main
@@ -13,10 +14,22 @@ jobs:
     - run: npm ci && npm run build
     - run: npm test
 
+  access_check:
+    runs-on: ubuntu-latest
+    steps:
+    - name: Check user permissions
+      if: ${{ github.event_name == 'pull_request' && github.event.pull_request.author_association != 'MEMBER' }}
+      run: |
+        echo "Action was not triggered by an organization member. Exiting now."
+        exit 1
+
   integration_test_botToken:
     runs-on: ubuntu-latest
+    needs: access_check
     steps:
     - uses: actions/checkout@v4
+      with:
+        ref: ${{ github.event.pull_request.head.sha }}
     - run: npm ci && npm run build
     - name: Post message to Slack via botToken
       id: slackToken
@@ -47,8 +60,11 @@ jobs:
 
   integration_test_webhook:
     runs-on: ubuntu-latest
+    needs: access_check
     steps:
     - uses: actions/checkout@v4
+      with:
+        ref: ${{ github.event.pull_request.head.sha }}
     - run: npm ci && npm run build
     - run: echo "${{ github.event_name }}"
     - name: push trigger
@@ -80,8 +96,11 @@ jobs:
 
   integration_test_incoming_webhook:
     runs-on: ubuntu-latest
+    needs: access_check
     steps:
     - uses: actions/checkout@v4
+      with:
+        ref: ${{ github.event.pull_request.head.sha }}
     - run: npm ci && npm run build
     - run: echo "${{ github.event_name }}"
     - name: Post message to Slack via incoming webhook
@@ -100,8 +119,11 @@ jobs:
 
   integration_test_file_payload:
     runs-on: ubuntu-latest
+    needs: access_check
     steps:
     - uses: actions/checkout@v4
+      with:
+        ref: ${{ github.event.pull_request.head.sha }}
     - run: npm ci && npm run build
     - name: Dump out GitHub Context
       run: echo $JSON