Update approach to use deployment environment

Author: alextwoods

.github/workflows/pull-request-build.yml

@@ -2,14 +2,7 @@ name: Build SDK
 on:
   merge_group:
   pull_request_target:
-    types: [opened, synchronize, reopened, labeled]
-  push:
-    branches:
-      - master
-    paths-ignore:
-      - '**.md'
-      - '.all-contributorsrc'
-      - 'docs/**'
+    types: [opened, synchronize, reopened]
 
 concurrency:
   group: start-pull-request-build-${{ github.event.pull_request.number || github.ref }}
@@ -20,51 +13,33 @@ env:
   SCRIPT_LOCATION: 'workflows/start-pull-request-build/pull-request-build-v1.sh'
 
 jobs:
-  # Strip the safe-to-build label on every new push from a fork so that
-  # a maintainer must re-review and re-label after each update.
-  revoke-approval:
-    if: >
-      github.event_name == 'pull_request_target' &&
-      github.event.action == 'synchronize' &&
-      github.event.pull_request.head.repo.full_name != github.repository
-    runs-on: ubuntu-latest
-    permissions:
-      pull-requests: write
-    steps:
-      - name: Remove safe-to-build label
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: |
-          gh api -X DELETE \
-            "repos/${{ github.repository }}/issues/${{ github.event.pull_request.number }}/labels/safe-to-build" \
-            || true   # 404 if label wasn't present
-
   aws-sdk-pr-build:
-    needs: revoke-approval
+    # Skip draft PRs
     if: >
-      always() &&
-      needs.revoke-approval.result != 'failure' &&
-      (
-        github.event_name != 'pull_request_target' ||
-        (
-          github.event.pull_request.draft == false &&
-          (
-            github.event.pull_request.head.repo.full_name == github.repository ||
-            contains(github.event.pull_request.labels.*.name, 'safe-to-build')
-          )
-        )
-      )
+      github.event_name != 'pull_request_target' ||
+      github.event.pull_request.draft == false
     runs-on: ubuntu-latest
     permissions:
       id-token: write
       issues: write
       pull-requests: write
       contents: read
+    # For fork PRs, require manual approval via the "fork-ci" environment.
+    # Internal PRs and merge_group events run immediately (no environment gate).
+    # Setup: create a "fork-ci" environment in repo Settings > Environments with
+    #   - Required reviewers: your maintainer team
+    #   - Move PR_WORKFLOW_IAM_ROLE_ARN to the environment's secrets
+    environment: >-
+      ${{
+        github.event_name == 'pull_request_target' &&
+        github.event.pull_request.head.repo.full_name != github.repository &&
+        'fork-ci' || ''
+      }}
     steps:
       - name: Configure AWS Credentials
         uses: aws-actions/configure-aws-credentials@v4
         with:
-          role-to-assume: ${{secrets.PR_WORKFLOW_IAM_ROLE_ARN}}
+          role-to-assume: ${{ secrets.PR_WORKFLOW_IAM_ROLE_ARN }}
           role-session-name: PullRequestBuildGitHubAction
           aws-region: us-west-2
           role-duration-seconds: 10800 # 3 hrs
@@ -75,11 +50,11 @@ jobs:
       - name: Build
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          HEAD_REF: ${{ github.event.pull_request.head.ref }}
+          HEAD_SHA: ${{ github.event.pull_request.head.sha }}
         run: |
           ./$DOWNLOAD_FOLDER/$SCRIPT_LOCATION \
             --repo "${{ github.repository }}" \
-            --branch "$HEAD_REF" \
+            --branch "$HEAD_SHA" \
             --pr-number "${{ github.event.pull_request.number }}" \
             --run-id "${{ github.run_id }}"
         timeout-minutes: 120