Require approval before starting a CI run

.github/workflows/ci.yml

@@ -5,13 +5,15 @@ name: Validate everything
   push:
     branches:
     - master
-  pull_request:
+  pull_request_target:
+    types:
+    - labeled
     branches:
     - master
 env:
   DOCKER_HUB_USERNAME: shepmaster
   GH_CONTAINER_REGISTRY_USERNAME: shepmaster
-  AWS_ACCESS_KEY_ID: AKIAWESVHZ3J6US4DSXP
+  AWS_ACCESS_KEY_ID: AKIAWESVHZ3JQAY5NM5K
 jobs:
   build_compiler_containers:
     name: Build ${{ matrix.channel }} compiler container
@@ -22,11 +24,14 @@ jobs:
         - stable
         - beta
         - nightly
+    if: 'contains(github.event.pull_request.labels.*.name, ''CI: approved'')'
     env:
       IMAGE_NAME: ghcr.io/integer32llc/rust-playground-ci-rust-${{ matrix.channel }}
     steps:
     - name: Checkout code
       uses: actions/checkout@v2
+      with:
+        ref: "${{ github.event.pull_request.head.sha }}"
     - name: Set up Docker Buildx
       uses: docker/setup-buildx-action@v1
       with:
@@ -124,11 +129,14 @@ jobs:
         - clippy
         - miri
         - rustfmt
+    if: 'contains(github.event.pull_request.labels.*.name, ''CI: approved'')'
     env:
       IMAGE_NAME: ghcr.io/integer32llc/rust-playground-ci-tool-${{ matrix.tool }}
     steps:
     - name: Checkout code
       uses: actions/checkout@v2
+      with:
+        ref: "${{ github.event.pull_request.head.sha }}"
     - name: Set up Docker Buildx
       uses: docker/setup-buildx-action@v1
       with:
@@ -155,9 +163,12 @@ jobs:
   build_backend:
     name: Build backend
     runs-on: ubuntu-latest
+    if: 'contains(github.event.pull_request.labels.*.name, ''CI: approved'')'
     steps:
     - name: Checkout code
       uses: actions/checkout@v2
+      with:
+        ref: "${{ github.event.pull_request.head.sha }}"
     - name: Cache Cargo intermediate products
       uses: actions/cache@v2
       with:
@@ -182,9 +193,12 @@ jobs:
   build_frontend:
     name: Build frontend
     runs-on: ubuntu-latest
+    if: 'contains(github.event.pull_request.labels.*.name, ''CI: approved'')'
     steps:
     - name: Checkout code
       uses: actions/checkout@v2
+      with:
+        ref: "${{ github.event.pull_request.head.sha }}"
     - name: Get yarn cache directory path
       id: yarn-cache-dir-path
       run: echo "::set-output name=dir::$(yarn cache dir)"
@@ -214,6 +228,7 @@ jobs:
   run_integration_tests:
     name: Running integration tests
     runs-on: ubuntu-latest
+    if: 'contains(github.event.pull_request.labels.*.name, ''CI: approved'')'
     needs:
     - build_compiler_containers
     - build_tool_containers
@@ -225,6 +240,8 @@ jobs:
     steps:
     - name: Checkout code
       uses: actions/checkout@v2
+      with:
+        ref: "${{ github.event.pull_request.head.sha }}"
     - name: Configure Ruby
       uses: actions/setup-ruby@v1
       with:

.github/workflows/cron.yml

@@ -2,13 +2,13 @@
 ---
 name: Scheduled rebuild
 'on':
-  workflow_dispatch: 
+  workflow_dispatch:
   schedule:
   - cron: 7 2 * * *
 env:
   DOCKER_HUB_USERNAME: shepmaster
   GH_CONTAINER_REGISTRY_USERNAME: shepmaster
-  AWS_ACCESS_KEY_ID: AKIAWESVHZ3J6US4DSXP
+  AWS_ACCESS_KEY_ID: AKIAWESVHZ3JQAY5NM5K
 jobs:
   build_compiler_containers:
     name: Build ${{ matrix.channel }} compiler container

ci/workflows.yml

@@ -3,12 +3,20 @@ components:
       env:
         DOCKER_HUB_USERNAME: shepmaster
         GH_CONTAINER_REGISTRY_USERNAME: shepmaster
-        AWS_ACCESS_KEY_ID: AKIAWESVHZ3J6US4DSXP
+        AWS_ACCESS_KEY_ID: AKIAWESVHZ3JQAY5NM5K
 
   - checkout: &checkout
       name: "Checkout code"
       uses: actions/checkout@v2
 
+  # This should only be used when we know that the code being tested
+  # doesn't make use of our secrets or elevated GitHub token.
+  - checkout_pr: &checkout_pr
+      name: "Checkout code"
+      uses: actions/checkout@v2
+      with:
+        ref: ${{ github.event.pull_request.head.sha }}
+
   - docker_buildx: &docker_buildx
       name: "Set up Docker Buildx"
       uses: docker/setup-buildx-action@v1
@@ -212,7 +220,8 @@ workflows:
       push:
         branches:
           - master
-      pull_request:
+      pull_request_target:
+        types: [labeled]
         branches:
           - master
 
@@ -221,11 +230,12 @@ workflows:
     jobs:
       build_compiler_containers:
         <<: *build_compiler_containers_job
+        if: "contains(github.event.pull_request.labels.*.name, 'CI: approved')"
         env:
           <<: *build_compiler_containers_job_env
 
         steps:
-          - *checkout
+          - *checkout_pr
           - *docker_buildx
           - *login_ghcr
           - *build_compiler_containers_toolchain
@@ -236,21 +246,23 @@ workflows:
 
       build_tool_containers:
         <<: *build_tool_containers_job
+        if: "contains(github.event.pull_request.labels.*.name, 'CI: approved')"
         env:
           <<: *build_tool_containers_job_env
 
         steps:
-          - *checkout
+          - *checkout_pr
           - *docker_buildx
           - *login_ghcr
           - *build_tool_containers_final
 
       build_backend:
         name: "Build backend"
         runs-on: ubuntu-latest
+        if: "contains(github.event.pull_request.labels.*.name, 'CI: approved')"
 
         steps:
-          - *checkout
+          - *checkout_pr
 
           - name: "Cache Cargo intermediate products"
             uses: actions/cache@v2
@@ -290,9 +302,10 @@ workflows:
       build_frontend:
         name: "Build frontend"
         runs-on: ubuntu-latest
+        if: "contains(github.event.pull_request.labels.*.name, 'CI: approved')"
 
         steps:
-          - *checkout
+          - *checkout_pr
 
           - name: "Get yarn cache directory path"
             id: yarn-cache-dir-path
@@ -336,6 +349,7 @@ workflows:
       run_integration_tests:
         name: "Running integration tests"
         runs-on: ubuntu-latest
+        if: "contains(github.event.pull_request.labels.*.name, 'CI: approved')"
         needs:
           - build_compiler_containers
           - build_tool_containers
@@ -347,7 +361,7 @@ workflows:
             working-directory: tests
 
         steps:
-          - *checkout
+          - *checkout_pr
 
           - name: "Configure Ruby"
             uses: actions/setup-ruby@v1