internal/ci: use pull_request_target for PR CI jobs

So that they can have access to secrets.NOTCUECKOO_CUE_TOKEN,
as otherwise we fail to fetch dependencies from the central registry.

https://github.com/cue-lang/cue/wiki/Notes-for-project-maintainers
is also updated with a brief mention of reviewing the changes
before triggering a CI job on a GitHub PR.

Signed-off-by: Daniel Martí <[email protected]>
Change-Id: I9fdd861c09f7b2a81e09be22f93db70a4b537ed4
Reviewed-on: https://review.gerrithub.io/c/cue-lang/cue/+/1205188
Unity-Result: CUE porcuepine <[email protected]>
TryBot-Result: CUEcueckoo <[email protected]>
Reviewed-by: Paul Jolly <[email protected]>

Author: mvdan

.github/workflows/trybot.yaml

@@ -10,7 +10,7 @@ name: TryBot
     tags-ignore:
       - v*
   workflow_dispatch: {}
-  pull_request: {}
+  pull_request_target: {}
 jobs:
   test:
     strategy:

internal/ci/base/github.cue

@@ -67,7 +67,7 @@ checkoutCode: {
 		name: "Checkout code"
 		uses: "actions/checkout@v4"
 
-		// "pull_request" builds will by default use a merge commit,
+		// "pull_request_target" builds will by default use a merge commit,
 		// testing the PR's HEAD merged on top of the master branch.
 		// For consistency with Gerrit, avoid that merge commit entirely.
 		// This doesn't affect builds by other events like "push",

internal/ci/github/trybot.cue

@@ -29,7 +29,11 @@ workflows: trybot: _repo.bashWorkflow & {
 			branches: list.Concat([[_repo.testDefaultBranch], _repo.protectedBranchPatterns]) // do not run PR branches
 			"tags-ignore": [_repo.releaseTagPattern]
 		}
-		pull_request: {}
+		// Note that pull_request_target gives PR CI jobs full access to our secrets,
+		// which is necessary to fetch dependencies from the registry via NOTCUECKOO_CUE_TOKEN.
+		// Giving access to secrets is OK given that we must approve PR jobs to run on CI,
+		// which mirrors the approval workflow for CI on Gerrit.
+		pull_request_target: {}
 	}
 
 	jobs: {