Fork PR workflow

alextwoods · alextwoods · commit 9469a3b093a3 · 2026-04-24T16:38:17.000-07:00
diff --git a/.github/workflows/pull-request-build.yml b/.github/workflows/pull-request-build.yml
@@ -1,7 +1,8 @@
 name: Build SDK
 on:
   merge_group:
-  pull_request:
+  pull_request_target:
+    types: [opened, synchronize, reopened, labeled]
   push:
     branches:
       - master
@@ -11,16 +12,48 @@ on:
       - 'docs/**'
 
 concurrency:
-  group: start-pull-request-build-${{ github.ref }}
+  group: start-pull-request-build-${{ github.event.pull_request.number || github.ref }}
   cancel-in-progress: true
 
 env:
   DOWNLOAD_FOLDER: '.build-scripts/'
   SCRIPT_LOCATION: 'workflows/start-pull-request-build/pull-request-build-v1.sh'
 
 jobs:
+  # Strip the safe-to-build label on every new push from a fork so that
+  # a maintainer must re-review and re-label after each update.
+  revoke-approval:
+    if: >
+      github.event_name == 'pull_request_target' &&
+      github.event.action == 'synchronize' &&
+      github.event.pull_request.head.repo.full_name != github.repository
+    runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
+    steps:
+      - name: Remove safe-to-build label
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          gh api -X DELETE \
+            "repos/${{ github.repository }}/issues/${{ github.event.pull_request.number }}/labels/safe-to-build" \
+            || true   # 404 if label wasn't present
+
   aws-sdk-pr-build:
-    if: github.event.pull_request.draft == false
+    needs: revoke-approval
+    if: >
+      always() &&
+      needs.revoke-approval.result != 'failure' &&
+      (
+        github.event_name != 'pull_request_target' ||
+        (
+          github.event.pull_request.draft == false &&
+          (
+            github.event.pull_request.head.repo.full_name == github.repository ||
+            contains(github.event.pull_request.labels.*.name, 'safe-to-build')
+          )
+        )
+      )
     runs-on: ubuntu-latest
     permissions:
       id-token: write
@@ -49,4 +82,4 @@ jobs:
             --branch "$HEAD_REF" \
             --pr-number "${{ github.event.pull_request.number }}" \
             --run-id "${{ github.run_id }}"
-        timeout-minutes: 120
+        timeout-minutes: 120
