From 90fc823d63e08ef358918a8ab62258712921af6d Mon Sep 17 00:00:00 2001
From: Rustie Lin <rustie117@gmail.com>
Date: Wed, 18 Jun 2025 15:02:01 -0700
Subject: [PATCH] [gha] allow external contributors build/lint

---
 .github/workflows/ci.yml | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 33f399bbe..bc0d9d1b0 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -4,15 +4,27 @@ on:
   push:
     branches:
       - main
-  pull_request:
+  pull_request_target:
+    branches:
+      - 06-18-_gha_allow_external_contributors_build_lint # canary for the PR that introduces pull_request_target
 
 permissions:
   contents: read
   id-token: write #required for GCP Workload Identity federation which we use to login into Google Artifact Registry
 
 jobs:
+  permission-check:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check repository permission for user which triggered workflow
+        uses: sushichop/action-repository-permission@13d208f5ae7a6a3fc0e5a7c2502c214983f0241c
+        with:
+          required-permission: write
+          comment-not-permitted: Sorry, you don't have permission to trigger this workflow.
+
   lint:
     runs-on: ubuntu-latest
+    needs: permission-check # This is required to ensure we have permission to build against the GCP Artifact Registry
 
     steps:
       - uses: actions/checkout@v4