ci: use workflow_run to allow secrets on dependabot and fork PRs

.github/workflows/CI-init.yml

@@ -0,0 +1,22 @@
+---
+# this workflow initializes a secondary workflow that will have access to secrets
+name: CI-init
+
+on:
+  pull_request:
+    branches: [master]
+    types: [opened, synchronize, reopened]
+  push:
+    branches: [master]
+  workflow_dispatch:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  initialize:
+    runs-on: ubuntu-latest
+    steps:
+      - name: pass
+        run: true

.github/workflows/ci.yml → .github/workflows/CI-run.yml

@@ -1,13 +1,12 @@
 ---
-name: CI
+name: CI-run
 
 on:
-  pull_request:
-    branches: [master]
-    types: [opened, synchronize, reopened]
-  push:
-    branches: [master]
-  workflow_dispatch:
+  workflow_run:
+    workflows:
+      - CI-init
+    types:
+      completed
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
@@ -17,8 +16,27 @@ jobs:
   action:
     runs-on: ubuntu-latest
     steps:
+      # tell the PR that the action is running
+#      - name: Set status to running
+#        if: ${{ github.event.workflow_run.conclusion == 'success' }}
+#        uses: actions/github-script@v6
+#        with:
+#          script: |
+#            github.repos.createCommitStatus({
+#              owner: context.repo.owner,
+#              repo: context.repo.repo,
+#              sha: context.sha,
+#              state: 'pending',
+#              context: 'CI-run',
+#              description: 'Running CI-run',
+#              target_url: '${{ github.event.workflow_run.event.html_url }}',
+#            })
+
+      # checkout the PR merge commit
       - name: Checkout
         uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.workflow_run.head_commit.id || github.sha }}
 
       - name: Setup Release
         id: setup-release
@@ -31,10 +49,12 @@ jobs:
       - name: Set action variables
         id: vars
         run: |
-          if [ "${{ github.event_name }}" == "pull_request" ]; then
+          # check if original workflow was a "pull_request"
+          
+          if [ "${{ github.event.workflow_run.event_name }}" == "pull_request" ]; then
             discussion_category=tests
             publish_pre_release=true
-            release_tag=pr-${{ github.event.pull_request.number }}-${{ github.run_id }}
+            release_tag=pr-${{ github.event.workflow_run.event.number }}-${{ github.run_number }}
             token=${{ secrets.GITHUB_TOKEN }}
           else
             discussion_category=announcements
@@ -64,13 +84,29 @@ jobs:
           token: ${{ steps.vars.outputs.token }}
 
       - name: Sleep
-        if: ${{ always() && github.event_name == 'pull_request' }}
-        run: sleep 30
+        if: ${{ always() && github.event.workflow_run.event_name == 'pull_request' }}
+        run: sleep 120
 
       - name: Delete Release
         env:
           GITHUB_TOKEN: ${{ steps.vars.outputs.token }}
-        if: ${{ always() && github.event_name == 'pull_request' }}
+        if: ${{ always() && github.event.workflow_run.event_name == 'pull_request' }}
         uses: dev-drprasad/delete-tag-and-release@v0.2.1
         with:
           tag_name: ${{ steps.vars.outputs.release_tag }}
+
+      # tell the PR that the action is complete
+#      - name: Update status
+#        if: always()
+#        uses: actions/github-script@v6
+#        with:
+#          script: |
+#            github.repos.createCommitStatus({
+#              owner: context.repo.owner,
+#              repo: context.repo.repo,
+#              sha: context.sha,
+#              state: '${{ job.status }}',
+#              context: 'CI-run',
+#              description: 'CI-run ${{ job.status }}',
+#              target_url: '${{ github.event.workflow_run.event.html_url }}',
+#            })