fix: require environment approval for fork PRs in pull_request_target workflows

b-per · b-per · commit 70602a2e4129 · 2026-02-27T13:47:39.000+01:00
Fork PRs using pull_request_target bypass GitHub's standard approval gate
while having access to repository secrets. This adds a conditional
`cloud-tests` environment that requires reviewer approval only for fork PRs,
while keeping internal PRs and push events unaffected.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -25,6 +25,7 @@ env:
 jobs:
     run-tests:
         runs-on: ubuntu-latest
+        environment: ${{ (github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name != github.repository) && 'cloud-tests' || '' }}
         strategy:
             fail-fast: false
             matrix:
diff --git a/.github/workflows/fusion.yml b/.github/workflows/fusion.yml
@@ -28,6 +28,7 @@ env:
 jobs:
     run-tests:
         runs-on: ubuntu-latest
+        environment: ${{ (github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name != github.repository) && 'cloud-tests' || '' }}
         strategy:
             fail-fast: false
             matrix:
