From daa21c4369d425671c18aa299dfdf7f47859ea2f Mon Sep 17 00:00:00 2001
From: Gunju Kim <gjkim042@gmail.com>
Date: Thu, 26 Mar 2026 00:04:50 +0000
Subject: [PATCH 1/2] Use pull_request_target for e2e tests to enable secrets
 on fork PRs

GitHub Actions does not expose repository secrets to pull_request events
from forks. Switch the e2e job to trigger on pull_request_target instead,
which runs in the base repository context and has access to secrets. The
existing ok-to-test label gate ensures maintainer review before secrets
are exposed. Non-e2e jobs continue to use pull_request to avoid double
runs. The checkout step now explicitly uses the PR head SHA to test the
correct code.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 .github/workflows/ci.yaml | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index c97293b6..4e75594f 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -6,6 +6,9 @@ on:
   pull_request:
     branches: [main]
     types: [opened, synchronize, reopened, labeled]
+  pull_request_target:
+    branches: [main]
+    types: [opened, synchronize, reopened, labeled]
   merge_group:
   workflow_dispatch:
     inputs:
@@ -23,7 +26,7 @@ concurrency:
 
 jobs:
   build:
-    if: github.event.action != 'labeled' || github.event.label.name == 'ok-to-test'
+    if: github.event_name != 'pull_request_target' && (github.event.action != 'labeled' || github.event.label.name == 'ok-to-test')
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
@@ -36,7 +39,7 @@ jobs:
         run: make build
 
   verify:
-    if: github.event.action != 'labeled' || github.event.label.name == 'ok-to-test'
+    if: github.event_name != 'pull_request_target' && (github.event.action != 'labeled' || github.event.label.name == 'ok-to-test')
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
@@ -49,7 +52,7 @@ jobs:
         run: make verify
 
   test:
-    if: github.event.action != 'labeled' || github.event.label.name == 'ok-to-test'
+    if: github.event_name != 'pull_request_target' && (github.event.action != 'labeled' || github.event.label.name == 'ok-to-test')
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
@@ -62,7 +65,7 @@ jobs:
         run: make test
 
   test-integration:
-    if: github.event.action != 'labeled' || github.event.label.name == 'ok-to-test'
+    if: github.event_name != 'pull_request_target' && (github.event.action != 'labeled' || github.event.label.name == 'ok-to-test')
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
@@ -76,10 +79,12 @@ jobs:
 
   test-e2e:
     if: >-
-      github.event_name == 'push' || github.event_name == 'merge_group' || (github.event_name == 'workflow_dispatch' && inputs.ok-to-test) || contains(github.event.pull_request.labels.*.name, 'ok-to-test')
+      github.event_name == 'push' || github.event_name == 'merge_group' || (github.event_name == 'workflow_dispatch' && inputs.ok-to-test) || (github.event_name == 'pull_request_target' && contains(github.event.pull_request.labels.*.name, 'ok-to-test'))
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.head.sha || github.sha }}
 
       - uses: actions/setup-go@v5
         with:

From a58f21d24753192a8f41ae4ba4f771010587c13e Mon Sep 17 00:00:00 2001
From: Gunju Kim <gjkim042@gmail.com>
Date: Thu, 26 Mar 2026 09:32:37 +0000
Subject: [PATCH 2/2] Address review feedback for pull_request_target security

- Restrict pull_request_target to only 'labeled' type so maintainers must
  re-apply ok-to-test after each new fork commit (prevents stale label reuse)
- Include event_name in concurrency group key to prevent pull_request and
  pull_request_target runs from cancelling each other

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 .github/workflows/ci.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index 4e75594f..3005a1d0 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -8,7 +8,7 @@ on:
     types: [opened, synchronize, reopened, labeled]
   pull_request_target:
     branches: [main]
-    types: [opened, synchronize, reopened, labeled]
+    types: [labeled]
   merge_group:
   workflow_dispatch:
     inputs:
@@ -19,7 +19,7 @@ on:
 
 concurrency:
   group: >-
-    ${{ github.workflow }}-${{ github.head_ref || github.ref_name }}${{
+    ${{ github.workflow }}-${{ github.event_name }}-${{ github.head_ref || github.ref_name }}${{
       github.event.action == 'labeled' && '-labeled' || ''
     }}
   cancel-in-progress: true