From 1d145ef7ac78691395bcf0abc70ae14e3ee17242 Mon Sep 17 00:00:00 2001
From: Alexander Baranov <a.baranov@protonmail.com>
Date: Thu, 10 Jul 2025 11:45:48 +0100
Subject: [PATCH] Allow integration tests from collaborators

---
 .github/workflows/integration-tests.yml | 35 ++++++++++++++++++++++---
 1 file changed, 32 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/integration-tests.yml b/.github/workflows/integration-tests.yml
index 7260b00b4..d114e4159 100644
--- a/.github/workflows/integration-tests.yml
+++ b/.github/workflows/integration-tests.yml
@@ -2,15 +2,44 @@ name: Integration tests
 
 on:
   push:
-    branches:
-      - master
+    branches: [master]
+  pull_request_target:
+    branches: [master]
+    types:   [opened, synchronize, reopened]
 
 jobs:
+  decide-if-trusted:
+    runs-on: ubuntu-latest
+    outputs:
+      ok: ${{ steps.check.outputs.ok }}
+    steps:
+      - name: Trust gate
+        id: check
+        run: |
+          # default to skip
+          echo "ok=false" >> "$GITHUB_OUTPUT"
+
+          # Push events are always safe
+          if [ "${{ github.event_name }}" = "push" ]; then
+            echo "ok=true" >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+
+          # For PRs, look at the author's relationship
+          case "${{ github.event.pull_request.author_association }}" in
+            OWNER|MEMBER|COLLABORATOR|CONTRIBUTOR)
+              echo "ok=true" >> "$GITHUB_OUTPUT"
+              ;;
+          esac
+
   integration_tests:
-    name: Run integration tests
+    needs: decide-if-trusted
+    if: needs.decide-if-trusted.outputs.ok == 'true'
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v4
+      with:
+        ref: ${{ github.event.pull_request.head.sha || github.sha }}
     - name: Setup Go
       uses: actions/setup-go@v5
       with: