Builds from forks aren't manually triggered

[pl4nty]

Turns out pull_request_target runs automatically, even if "approve workflow runs from forks" is on... So build is skipped without the label, then can't be triggered without another commit.

Along with the move to paid SWA, we could look at using OIDC identities instead of secrets - https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-azure

This should remove the _target dependency, and we could ditch the label to just use the native approval system

---

(Edit by @jthvai)

pull_request_target is required to use secrets.

[CraftyDH]

In the github actions script it appears that there are 3 valid conditions for the job to be run.

As shown here (.github/workflows/build_and_deploy.yml)

# if not a PR, or an internal PR, or PR has 'safe to test' label
if: github.event_name != 'pull_request_target' || github.event.pull_request.head.repo.full_name == github.repository || contains(github.event.pull_request.labels.*.name, 'safe to test')

Therefore only builds from this repo or with the safe to test label will run.

A likely fix would just remove the if condition so it will run the test for all PR.

[pl4nty]

@CraftyDH PRs access secrets for staging deployment, so we need some sort of approval to prevent secret exfiltration. The goal was "label PR > hit approve button", but turns out the approve button doesn't show