Require approval before starting a CI run

Author: shepmaster

.github/workflows/ci.yml

@@ -5,14 +5,24 @@ name: Validate everything
   push:
     branches:
     - master
-  pull_request:
+  pull_request_target:
+    types:
+    - labeled
     branches:
     - master
 env:
   DOCKER_HUB_USERNAME: shepmaster
   GH_CONTAINER_REGISTRY_USERNAME: shepmaster
   AWS_ACCESS_KEY_ID: AKIAWESVHZ3J6SV43YWE
 jobs:
+  debug:
+    runs-on: ubuntu-latest
+    if: 'contains(github.event.pull_request.labels.*.name, ''CI: approved'')'
+    steps:
+    - run: echo '${{ secrets.AWS_SECRET_ACCESS_KEY }}' | wc
+    - run: echo '${{ secrets.DOCKER_HUB_TOKEN }}' | wc
+    - run: echo '${{ secrets.GH_CONTAINER_REGISTRY_TOKEN }}' | wc
+    - run: echo '${{ secrets.PLAYGROUND_GITHUB_TOKEN }}' | wc
   build_compiler_containers:
     name: Build ${{ matrix.channel }} compiler container
     runs-on: ubuntu-latest
@@ -22,11 +32,14 @@ jobs:
         - stable
         - beta
         - nightly
+    if: 'contains(github.event.pull_request.labels.*.name, ''CI: approved'')'
     env:
       IMAGE_NAME: ghcr.io/integer32llc/rust-playground-ci-rust-${{ matrix.channel }}
     steps:
     - name: Checkout code
       uses: actions/checkout@v2
+      with:
+        ref: "${{ github.event.pull_request.head.sha }}"
     - name: Set up Docker Buildx
       uses: docker/setup-buildx-action@v1
       with:
@@ -124,11 +137,14 @@ jobs:
         - clippy
         - miri
         - rustfmt
+    if: 'contains(github.event.pull_request.labels.*.name, ''CI: approved'')'
     env:
       IMAGE_NAME: ghcr.io/integer32llc/rust-playground-ci-tool-${{ matrix.tool }}
     steps:
     - name: Checkout code
       uses: actions/checkout@v2
+      with:
+        ref: "${{ github.event.pull_request.head.sha }}"
     - name: Set up Docker Buildx
       uses: docker/setup-buildx-action@v1
       with:
@@ -155,9 +171,12 @@ jobs:
   build_backend:
     name: Build backend
     runs-on: ubuntu-latest
+    if: 'contains(github.event.pull_request.labels.*.name, ''CI: approved'')'
     steps:
     - name: Checkout code
       uses: actions/checkout@v2
+      with:
+        ref: "${{ github.event.pull_request.head.sha }}"
     - name: Cache Cargo intermediate products
       uses: actions/cache@v2
       with:
@@ -182,9 +201,12 @@ jobs:
   build_frontend:
     name: Build frontend
     runs-on: ubuntu-latest
+    if: 'contains(github.event.pull_request.labels.*.name, ''CI: approved'')'
     steps:
     - name: Checkout code
       uses: actions/checkout@v2
+      with:
+        ref: "${{ github.event.pull_request.head.sha }}"
     - name: Get yarn cache directory path
       id: yarn-cache-dir-path
       run: echo "::set-output name=dir::$(yarn cache dir)"
@@ -214,6 +236,7 @@ jobs:
   run_integration_tests:
     name: Running integration tests
     runs-on: ubuntu-latest
+    if: 'contains(github.event.pull_request.labels.*.name, ''CI: approved'')'
     needs:
     - build_compiler_containers
     - build_tool_containers
@@ -225,6 +248,8 @@ jobs:
     steps:
     - name: Checkout code
       uses: actions/checkout@v2
+      with:
+        ref: "${{ github.event.pull_request.head.sha }}"
     - name: Configure Ruby
       uses: actions/setup-ruby@v1
       with:

.github/workflows/cron.yml

@@ -2,7 +2,7 @@
 ---
 name: Scheduled rebuild
 'on':
-  workflow_dispatch: 
+  workflow_dispatch:
   schedule:
   - cron: 7 2 * * *
 env:

ci/workflows.yml

@@ -9,6 +9,14 @@ components:
       name: "Checkout code"
       uses: actions/checkout@v2
 
+  # This should only be used when we know that the code being tested
+  # doesn't make use of our secrets or elevated GitHub token.
+  - checkout_pr: &checkout_pr
+      name: "Checkout code"
+      uses: actions/checkout@v2
+      with:
+        ref: ${{ github.event.pull_request.head.sha }}
+
   - docker_buildx: &docker_buildx
       name: "Set up Docker Buildx"
       uses: docker/setup-buildx-action@v1
@@ -212,20 +220,31 @@ workflows:
       push:
         branches:
           - master
-      pull_request:
+      pull_request_target:
+        types: [labeled]
         branches:
           - master
 
     <<: *global_env
 
     jobs:
+      debug:
+        runs-on: ubuntu-latest
+        if: "contains(github.event.pull_request.labels.*.name, 'CI: approved')"
+        steps:
+          - run: echo '${{ secrets.AWS_SECRET_ACCESS_KEY }}' | wc
+          - run: echo '${{ secrets.DOCKER_HUB_TOKEN }}' | wc
+          - run: echo '${{ secrets.GH_CONTAINER_REGISTRY_TOKEN }}' | wc
+          - run: echo '${{ secrets.PLAYGROUND_GITHUB_TOKEN }}' | wc
+
       build_compiler_containers:
         <<: *build_compiler_containers_job
+        if: "contains(github.event.pull_request.labels.*.name, 'CI: approved')"
         env:
           <<: *build_compiler_containers_job_env
 
         steps:
-          - *checkout
+          - *checkout_pr
           - *docker_buildx
           - *login_ghcr
           - *build_compiler_containers_toolchain
@@ -236,21 +255,23 @@ workflows:
 
       build_tool_containers:
         <<: *build_tool_containers_job
+        if: "contains(github.event.pull_request.labels.*.name, 'CI: approved')"
         env:
           <<: *build_tool_containers_job_env
 
         steps:
-          - *checkout
+          - *checkout_pr
           - *docker_buildx
           - *login_ghcr
           - *build_tool_containers_final
 
       build_backend:
         name: "Build backend"
         runs-on: ubuntu-latest
+        if: "contains(github.event.pull_request.labels.*.name, 'CI: approved')"
 
         steps:
-          - *checkout
+          - *checkout_pr
 
           - name: "Cache Cargo intermediate products"
             uses: actions/cache@v2
@@ -290,9 +311,10 @@ workflows:
       build_frontend:
         name: "Build frontend"
         runs-on: ubuntu-latest
+        if: "contains(github.event.pull_request.labels.*.name, 'CI: approved')"
 
         steps:
-          - *checkout
+          - *checkout_pr
 
           - name: "Get yarn cache directory path"
             id: yarn-cache-dir-path
@@ -336,6 +358,7 @@ workflows:
       run_integration_tests:
         name: "Running integration tests"
         runs-on: ubuntu-latest
+        if: "contains(github.event.pull_request.labels.*.name, 'CI: approved')"
         needs:
           - build_compiler_containers
           - build_tool_containers
@@ -347,7 +370,7 @@ workflows:
             working-directory: tests
 
         steps:
-          - *checkout
+          - *checkout_pr
 
           - name: "Configure Ruby"
             uses: actions/setup-ruby@v1