Merge branch 'main' into fix/shared-peer-deps

.github/workflows/ci.yml

@@ -138,10 +138,6 @@ jobs:
 
   integration-tests:
     name: Integration Tests
-    # Skip for fork PRs to prevent security vulnerabilities (no secrets)
-    # Runs if it comes from the root repo or once it gets approved by a maintainer
-    if: |
-      github.event.inputs.run_integration_tests == 'true' || github.event.pull_request.head.repo.full_name == github.repository
     needs: formatting-linting
     runs-on: ${{ vars.RUNNER_LARGE || 'ubuntu-latest-l' }}
     timeout-minutes: ${{ vars.TIMEOUT_MINUTES_LONG && fromJSON(vars.TIMEOUT_MINUTES_LONG) || 15 }}
@@ -163,11 +159,30 @@ jobs:
             next-version: '15'
 
     steps:
+      # Skip integration tests from fork PRs to prevent secret exfiltration
+      - name: Get User Permission
+        id: checkAccess
+        uses: actions-cool/check-user-permission@v2
+        with:
+          require: write
+          username: ${{ github.triggering_actor }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: Check User Permission
+        if: steps.checkAccess.outputs.require-result == 'false'
+        run: |
+          echo "${{ github.triggering_actor }} does not have permissions on this repo."
+          echo "Current permission level is ${{ steps.checkAccess.outputs.user-permission }}"
+          echo "Job originally triggered by ${{ github.actor }}"
+          exit 1
+
       - name: Checkout Repo
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
           show-progress: false
+          # We must first verify the user permissions before checking out PR code
+          ref: ${{ github.event.pull_request.head.sha }}
 
       - name: Setup
         id: config