Try to use pull_request_target-triggered actions in a secure way, given those actions have access to repo secrets

Author: crew102

.github/workflows/R-CMD-check.yaml

@@ -1,11 +1,38 @@
 # For help debugging build failures open an issue on the RStudio community with the 'github-actions' tag.
 # https://community.rstudio.com/new-topic?category=Package%20development&tags=github-actions
-on: [push, pull_request]
+
+# Details on pull_request_target and why it's insecure:
+# https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/
+# Post describing a workaround, from which we take inspiration:
+# https://michaelheap.com/access-secrets-from-forks/
 
 name: R-CMD-check
 
+on:
+  push:
+    branches:
+      - master
+      - 'feature/**'
+      - 'bugfix/**'
+  pull_request_target:
+    types: [opened, synchronize]
+
 jobs:
+  pre-check:
+    if: github.event_name == 'pull_request_target'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Confirm crew102 triggered the build for the PR
+        run: |
+          if [ "${{ github.actor }}" == "crew102" ]; then
+            echo "Actor is crew102"
+          else
+            echo "Actor is ${{ github.actor }}, failing build."
+            exit 1
+          fi
+
   R-CMD-check:
+    needs: [pre-check]
     runs-on: ${{ matrix.config.os }}
 
     name: ${{ matrix.config.os }} (${{ matrix.config.r }})
@@ -29,7 +56,11 @@ jobs:
       PATENTSVIEW_API_KEY: ${{ secrets.PATENTSVIEW_API_KEY }}
 
     steps:
-      - uses: actions/checkout@v2
+      - name: Checkout code
+        uses: actions/checkout@v3
+        with:
+          # Use the head SHA for pull requests
+          ref: ${{ github.event.pull_request.head.sha || github.sha }}
 
       - uses: r-lib/actions/setup-r@v1
         with: