From c8b7bf5f7aa797c849c0a2151f0cdd08528cb13c Mon Sep 17 00:00:00 2001
From: Wayback Archiver <66856220+waybackarchiver@users.noreply.github.com>
Date: Tue, 15 Nov 2022 03:45:03 +0000
Subject: [PATCH] Add trigger event target pull_request_target for project
 workflow (#37)

https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target
---
 .github/workflows/reusable-add-to-project.yml | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/reusable-add-to-project.yml b/.github/workflows/reusable-add-to-project.yml
index b97ef68..656e908 100644
--- a/.github/workflows/reusable-add-to-project.yml
+++ b/.github/workflows/reusable-add-to-project.yml
@@ -12,6 +12,9 @@ on:
   pull_request:
     types:
       - opened
+  pull_request_target:
+    types:
+      - opened
   workflow_call:
     inputs:
       project-url:
@@ -34,6 +37,11 @@ jobs:
   add-issue-to-project:
     name: Add Issue or Pull Request to Project
     runs-on: ubuntu-latest
+    # pull_request_target: Only "dependabot[bot]" is allowed to access secrets.
+    # pull_request: All other forks are running without access to secrets.
+    if: >
+      (github.event_name == 'pull_request_target' && github.actor == 'dependabot[bot]') ||
+      (github.event_name != 'pull_request_target' && github.actor != 'dependabot[bot]')
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@2e205a28d0e1da00c5f53b161f4067b052c61f34 # v1.5.0
@@ -45,14 +53,14 @@ jobs:
             api.github.com:443
 
       - name: Check out code base
-        if: github.event_name == 'push'
+        if: github.event_name != 'pull_request_target'
         uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0
         with:
           fetch-depth: 0
           persist-credentials: false
 
       - name: Check out code base
-        if: github.event_name == 'pull_request'
+        if: github.event_name == 'pull_request_target'
         uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0
         with:
           fetch-depth: 0
@@ -67,7 +75,7 @@ jobs:
           github-token: ${{ secrets.github-token }}
 
       - name: Add to Project
-        if: github.event != 'workflow_call'
+        if: github.event != 'workflow_call' && github.actor == 'dependabot[bot]'
         uses: actions/add-to-project@a9f041ddd462ed185893ea1024cec954f50dbe42 # v0.3.0
         with:
           project-url: ${{ env.PROJECT_URL }}