fix: Removed usage of pull_request_target as much as possible to prev…

…ent security concerns

Signed-off-by: Theodor Mihalache <[email protected]>

.github/workflows/pr_integration_tests.yml

@@ -11,25 +11,24 @@ on:
 #concurrency:
 #  group: pr-integration-tests-${{ github.event.pull_request.number }}
 #  cancel-in-progress: true
+permissions:
+  contents: write
+  actions: write
+  attestations: read
+  checks: read
+  deployments: read
+  id-token: write
+  issues: read
+  discussions: read
+  packages: read
+  pages: read
+  pull-requests: read
+  repository-projects: read
+  security-events: read
+  statuses: read
 
 jobs:
   integration-test-python:
-    permissions:
-      contents: write
-      actions: write
-      attestations: read
-      checks: read
-      deployments: read
-      id-token: write
-      issues: read
-      discussions: read
-      packages: read
-      pages: read
-      pull-requests: read
-      repository-projects: read
-      security-events: read
-      statuses: read
-
     # when using pull_request_target, all jobs MUST have this if check for 'ok-to-test' or 'approved' for security purposes.
     if:
       ((github.event.action == 'labeled' && (github.event.label.name == 'approved' || github.event.label.name == 'lgtm' || github.event.label.name == 'ok-to-test')) ||

.github/workflows/pr_local_integration_tests.yml

@@ -10,7 +10,6 @@ on:
 
 jobs:
   integration-test-python-local:
-    # when using pull_request_target, all jobs MUST have this if check for 'ok-to-test' or 'approved' for security purposes.
     if:
       ((github.event.action == 'labeled' && (github.event.label.name == 'approved' || github.event.label.name == 'lgtm' || github.event.label.name == 'ok-to-test')) ||
       (github.event.action != 'labeled' && (contains(github.event.pull_request.labels.*.name, 'ok-to-test') || contains(github.event.pull_request.labels.*.name, 'approved') || contains(github.event.pull_request.labels.*.name, 'lgtm')))) &&