Updates

.github/workflows/external-message.yml

@@ -11,27 +11,49 @@ on:
     branches:
       - main
 
+  pull_request:
+    types: [opened, reopened, synchronize]
+
 
 
 jobs:
   comment-on-pr:
     runs-on: ubuntu-latest
     permissions:
       pull-requests: write
+
     steps:
-      - name: Check if external contribution
-        id: check_fork
+      # NOTE: This is not 100% accurate, but it should work for most cases.
+      - name: Check user and potential secret access
+        id: check-secrets-access
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
-          if [ "${{ github.event.pull_request.head.repo.full_name }}" != "${{ github.repository }}" ]; then
-            echo "is_fork=true" >> $GITHUB_OUTPUT
+          # Get user info
+          USER_LOGIN="${{ github.event.pull_request.user.login }}"
+          echo "Pull request opened by: $USER_LOGIN"
+          
+          # Check if user is a collaborator
+          IS_COLLABORATOR=$(gh api repos/${{ github.repository }}/collaborators/$USER_LOGIN --silent && echo "true" || echo "false")
+          
+          # Check if PR is from a fork
+          BASE_REPO="${{ github.event.pull_request.base.repo.full_name }}"
+          HEAD_REPO="${{ github.event.pull_request.head.repo.full_name }}"
+          IS_FORK=$([[ "$BASE_REPO" != "$HEAD_REPO" ]] && echo "true" || echo "false")
+          
+          # Determine potential secret access
+          if [[ "$IS_COLLABORATOR" == "true" && "$IS_FORK" == "false" ]]; then
+            echo "has_secrets_access=true" >> $GITHUB_OUTPUT
+            echo "User $USER_LOGIN likely has access to secrets"
           else
-            echo "is_fork=false" >> $GITHUB_OUTPUT
+            echo "has_secrets_access=false" >> $GITHUB_OUTPUT
+            echo "User $USER_LOGIN likely does not have access to secrets"
           fi
 
       - uses: actions/checkout@v4
 
       - name: Delete old comments
-        if: steps.check_fork.outputs.is_fork == 'true'
+        if: steps.check-secrets-access.outputs.has_secrets_access != 'true'
         env:
            GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
@@ -48,7 +70,7 @@ jobs:
             fi
 
       - name: Comment on PR
-        if: steps.check_fork.outputs.is_fork == 'true'
+        if: steps.check-secrets-access.outputs.is_fork != 'true'
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
@@ -58,8 +80,8 @@ jobs:
           [go/deco-tests-run/sdk-go](https://go/deco-tests-run/sdk-go)
 
           Inputs:
-          PR Number:${{github.event.pull_request.number}}
-          Commit SHA:${{ github.event.pull_request.head.sha }}
+          PR number: ${{github.event.pull_request.number}}
+          Commit SHA: `${{ github.event.pull_request.head.sha }}`
           
           Checks will be approved automatically on success.
           "

.github/workflows/integration-tests.yml

@@ -9,11 +9,28 @@ on:
 
 
 jobs:
-  # Secrets are not available for forks.
+  check-token:
+    name: Check GITHUB_TOKEN
+    runs-on: ubuntu-latest
+    outputs:
+      has_token: ${{ steps.set-token-status.outputs.has_token }}
+    steps:
+      - name: Check if GITHUB_TOKEN is set
+        id: set-token-status
+        run: |
+          if [ -z "${{ secrets.GITHUB_TOKEN }}" ]; then
+            echo "GITHUB_TOKEN is empty."
+            echo "::set-output name=has_token::true"
+          else
+            echo "GITHUB_TOKEN is set."
+            echo "::set-output name=has_token::false"
+          fi
+
   trigger-tests:
-    if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository
     name: Trigger Tests
     runs-on: ubuntu-latest
+    needs: check-token
+    if: github.event_name == 'pull_request'  && needs.check-token.outputs.has_token == 'true'
     environment: "test-trigger-is"
 
     steps: