update CI to allow PR from forked repo

.github/workflows/go_lint.yml

@@ -3,20 +3,24 @@ name: Go lint
 on:
   push:
     branches: [ master ]
-  pull_request:
+  pull_request_target:
+    types: [opened, synchronize, reopened]
 
 jobs:
 
   lint:
     runs-on: ubuntu-latest
     steps:
-      - name: Use go >= 1.13 
+      - name: Set up Go ^1.13 
         uses: actions/setup-go@v3
         with:
-          go-version: '>=1.13'
+          go-version: ^1.13
 
       - name: Check out code into the Go module directory
         uses: actions/checkout@v3
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+          fetch-depth: 0
 
       - name: Tidy
         run: go mod tidy && [ -z "$(git status -s)" ]

.github/workflows/go_tests.yml

@@ -3,37 +3,65 @@ name: Go test
 on:
   push:
     branches: [ master ]
-  pull_request:
+  pull_request_target:
+    types: [opened, synchronize, reopened]
 
 jobs:
+  permission:
+    runs-on: ubuntu-latest
+    steps:
+    - name: Add comment if PR permission failed
+      if: ${{ !contains(github.event.pull_request.labels.*.name, 'safe PR') }}
+      uses: actions/github-script@v3
+      with:
+        github-token: ${{secrets.GITHUB_TOKEN}}
+        script: |
+          github.issues.createComment({
+            issue_number: context.issue.number,
+            owner: context.repo.owner,
+            repo: context.repo.repo,
+            body: '🔒 Could not start CI tests due to missing *safe PR* label. Please contact one of the repo maintainers.'
+          })
+    - name: Check permission
+      if: ${{ !contains(github.event.pull_request.labels.*.name, 'safe PR') }}
+      run: |
+        echo "::error:: Could not start CI tests due to missing *safe PR* label."
+        exit 1
 
   test:
+    needs: permission
     strategy:
       matrix:
         platform: [ubuntu-latest, macos-latest, windows-latest]
 
     runs-on: ${{matrix.platform}}
 
     steps:
-      - name: Use go >= 1.13 
+      - name: Setup go ^1.13 
         uses: actions/setup-go@v3
         with:
-          go-version: '>=1.13'
+          go-version: ^1.13
 
       - name: Check out code into the Go module directory
         uses: actions/checkout@v3
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+          fetch-depth: 0
 
-      - name: Test with coverage
-        if: matrix.platform == 'ubuntu-latest'
-        run: go test -json -covermode=count -coverprofile=profile.cov ./... > report.json
-
       - name: Test without coverage
         if: matrix.platform == 'macos-latest' || matrix.platform == 'windows-latest'
         run: go test ./...
 
+      - name: Test with coverage
+        if: matrix.platform == 'ubuntu-latest'
+        run: go test -json -covermode=count -coverprofile=profile.cov ./... > report.json
+
       - name: Sonarcloud scan
         if: matrix.platform == 'ubuntu-latest'
         uses: sonarsource/sonarcloud-github-action@master
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
         with:
           args: >
             -Dsonar.organization=dedis
@@ -43,9 +71,9 @@ jobs:
             -Dsonar.c.file.suffixes=-
             -Dsonar.cpp.file.suffixes=-
             -Dsonar.objc.file.suffixes=-
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+            -Dsonar.pullrequest.key=${{ github.event.number }}
+            -Dsonar.pullrequest.branch=${{ github.head_ref }}
+            -Dsonar.pullrequest.base=${{ github.event.pull_request.base }}
 
       - name: Send coverage
         if: matrix.platform == 'ubuntu-latest'