From bfb463e1c02e7fc7019aaa2e49fefd647ee9c420 Mon Sep 17 00:00:00 2001
From: Ethan Zimbelman <ethan.zimbelman@me.com>
Date: Thu, 14 Mar 2024 15:20:01 -0700
Subject: [PATCH] ci(test): collect environment secrets from a prepared staging
 environment (#294)

---
 .github/workflows/main.yml | 40 +++++---------------------------------
 1 file changed, 5 insertions(+), 35 deletions(-)

diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index 8b4bdec7..8845c5a7 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -1,47 +1,23 @@
 name: Tests
 on:
-  pull_request_target:
-    types: [opened, synchronize]
+  pull_request:
   push:
     branches:
       - main
 
 jobs:
-  # Note: The `pull_request_target` event provides access to repository secrets!
-  #
-  # This is required to run the integration tests on PRs from forked branches.
-  # Any job checking out pull_request.head.sha should require the access_check.
-  #
-  # Actions require collaborator approval to start and might require a re-run.
-  # The proposed changes should be reviewed before approving any workflow jobs.
-  #
-  # Reference: https://michaelheap.com/access-secrets-from-forks/
-  access_check:
-    runs-on: ubuntu-latest
-    steps:
-    - name: Check user permissions
-      if: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.author_association != 'MEMBER' }}
-      run: |
-        echo "Action was not triggered by an organization member. Exiting now."
-        exit 1
-
   unit_tests:
     runs-on: ubuntu-latest
-    needs: access_check
     steps:
     - uses: actions/checkout@v4
-      with:
-        ref: ${{ github.event.pull_request.head.sha }}
     - run: npm ci && npm run build
     - run: npm test
 
   integration_test_botToken:
     runs-on: ubuntu-latest
-    needs: access_check
+    environment: staging
     steps:
     - uses: actions/checkout@v4
-      with:
-        ref: ${{ github.event.pull_request.head.sha }}
     - run: npm ci && npm run build
     - name: Post message to Slack via botToken
       id: slackToken
@@ -72,11 +48,9 @@ jobs:
 
   integration_test_webhook:
     runs-on: ubuntu-latest
-    needs: access_check
+    environment: staging
     steps:
     - uses: actions/checkout@v4
-      with:
-        ref: ${{ github.event.pull_request.head.sha }}
     - run: npm ci && npm run build
     - run: echo "${{ github.event_name }}"
     - name: push trigger
@@ -108,11 +82,9 @@ jobs:
 
   integration_test_incoming_webhook:
     runs-on: ubuntu-latest
-    needs: access_check
+    environment: staging
     steps:
     - uses: actions/checkout@v4
-      with:
-        ref: ${{ github.event.pull_request.head.sha }}
     - run: npm ci && npm run build
     - run: echo "${{ github.event_name }}"
     - name: Post message to Slack via incoming webhook
@@ -131,11 +103,9 @@ jobs:
 
   integration_test_file_payload:
     runs-on: ubuntu-latest
-    needs: access_check
+    environment: staging
     steps:
     - uses: actions/checkout@v4
-      with:
-        ref: ${{ github.event.pull_request.head.sha }}
     - run: npm ci && npm run build
     - name: Dump out GitHub Context
       run: echo $JSON