From 0ad7f77f83e5b66fa5e048328cf254f79e6fcd51 Mon Sep 17 00:00:00 2001
From: Daniel Tipping <daniel@oldreliable.tech>
Date: Thu, 4 May 2023 12:11:55 +0100
Subject: Allow CI to access secrets once PR is approved (#75)

* Auto-format with prettier v2.8.8

* Allow CI to access secrets once PR is approved
---
 .github/workflows/check-and-publish.yml | 56 ++++++++++++++++++---------------
 .github/workflows/label-public-pr.yml   | 10 ++++++
 2 files changed, 41 insertions(+), 25 deletions(-)
 create mode 100644 .github/workflows/label-public-pr.yml

diff --git a/.github/workflows/check-and-publish.yml b/.github/workflows/check-and-publish.yml
index 60e0319..0184526 100644
--- a/.github/workflows/check-and-publish.yml
+++ b/.github/workflows/check-and-publish.yml
@@ -2,21 +2,24 @@ name: Check and publish
 
 on:
   push:
-    branches: [ master ]
+    branches: [master]
 
   pull_request:
-    branches: [ master ]
+    branches: [master]
+
+  # Trigger on public pull request approval
+  pull_request_target:
+    types: [labeled]
 
   release:
     types: [created]
 
-
 jobs:
   quality-checks:
     name: Code QA
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
       - run: pip install black flake8 isort
       - run: black --version
       - run: isort --version
@@ -27,6 +30,7 @@ jobs:
 
   platform-checks:
     needs: quality-checks
+    if: ${{ !github.event.pull_request.head.repo.fork && github.event.action != 'labeled' || github.event.label.name == 'approved-for-ci' }}
     strategy:
       fail-fast: false
       matrix:
@@ -39,7 +43,9 @@ jobs:
     timeout-minutes: 20
 
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
+        with:
+          ref: ${{ github.event.pull_request.head.sha || github.ref }}
 
       - uses: actions/setup-python@v2
         with:
@@ -64,26 +70,26 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/checkout@v2
-    - name: Set up Python
-      uses: actions/setup-python@v2
-      with:
-        python-version: '3.8'
-    - name: Install dependencies
-      run: |
-        python -m pip install --upgrade pip
-        pip install setuptools wheel twine
-    - name: Build and publish
-      env:
-        TWINE_USERNAME: ${{ secrets.PYPI_USERNAME }}
-        TWINE_PASSWORD: ${{ secrets.PYPI_PASSWORD }}
-      run: |
-        python setup.py sdist
-        twine upload dist/*
-
-    - name: Notify climetlab
-      uses: mvasigh/dispatch-action@main
-      with:
+      - uses: actions/checkout@v3
+      - name: Set up Python
+        uses: actions/setup-python@v2
+        with:
+          python-version: "3.8"
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip install setuptools wheel twine
+      - name: Build and publish
+        env:
+          TWINE_USERNAME: ${{ secrets.PYPI_USERNAME }}
+          TWINE_PASSWORD: ${{ secrets.PYPI_PASSWORD }}
+        run: |
+          python setup.py sdist
+          twine upload dist/*
+
+      - name: Notify climetlab
+        uses: mvasigh/dispatch-action@main
+        with:
           token: ${{ secrets.NOTIFY_ECMWFLIBS }}
           repo: climetlab
           owner: ecmwf
diff --git a/.github/workflows/label-public-pr.yml b/.github/workflows/label-public-pr.yml
new file mode 100644
index 0000000..59b2bfa
--- /dev/null
+++ b/.github/workflows/label-public-pr.yml
@@ -0,0 +1,10 @@
+# Manage labels of pull requests that originate from forks
+name: label-public-pr
+
+on:
+  pull_request_target:
+    types: [opened, synchronize]
+
+jobs:
+  label:
+    uses: ecmwf-actions/reusable-workflows/.github/workflows/label-pr.yml@v2
-- 
cgit v1.2.3