Pass secrets to approved workflows

Author: marickvantuil

.github/workflows/run-tests.yml

@@ -1,14 +1,24 @@
 name: Run tests
 
 on:
-  pull_request:
+  pull_request_target:
+    types: [opened, synchronize]
   schedule:
     - cron: '0 0 * * *'
 
 jobs:
-  php-tests:
+  access_check:
     runs-on: ubuntu-latest
+    steps:
+      - name: Check user permissions
+        if: ${{ github.event_name == 'pull_request' && github.event.pull_request.author_association != 'MEMBER' }}
+        run: |
+          echo "Action was not triggered by an organization member. Exiting now."
+          exit 1
 
+  php-tests:
+    runs-on: ubuntu-latest
+    needs: access_check
     strategy:
       matrix:
         db: ['mysql', 'pgsql']
@@ -32,7 +42,9 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
 
       - name: Setup PHP
         uses: shivammathur/setup-php@v2