tests: add integration test for pull_request_target

.github/workflows/base-test-pr-trigger.yml

@@ -0,0 +1,66 @@
+# Inspired by https://github.com/osbuild/bootc-image-builder/blob/031df2b115743a87b6684d4894f3d1730afefc98/.github/workflows/testingfarm.yml
+name: Testing farm PR triggered tests
+
+on:
+  pull_request_target:
+    types: [opened, synchronize, reopened]
+
+# To use testing farm we need the TF_API_KEY secret available inside the
+# forked repo which requires the pull_request_target trigger. To protect
+# the secrets we need to make sure only people with repo write access
+# can trigger this workflow. This means that ouside contributors will
+# get an initial failure when the workflow is run. But once someone from
+# the team re-triggers it it will work.
+#
+# Note that "pull_requqest_target" events are always triggered even
+# when the "Fork pull request workflows from outside collaborators"
+# setting is restricted to "Require approval for all outside collaborators"
+# (see https://docs.github.com/en/actions/managing-workflow-runs/approving-workflow-runs-from-public-forks)
+#
+# Note also that this precautions might be overkill because a fork
+# cannot modify this workflow and all we do is run a branch inside
+# testing farm. But a) the scope of workflow may expand over time
+# b) it feels safer this way and is not a big burden in practise.
+#
+# This follows https://michaelheap.com/access-secrets-from-forks/
+jobs:
+  testingfarm:
+    name: "Smoke test for tfaga - pull_request_target"
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+      pull-requests: write
+      statuses: write
+
+    steps:
+      - name: Get User Permission
+        id: checkAccess
+        uses: actions-cool/check-user-permission@v2
+        with:
+          require: write
+          username: ${{ github.triggering_actor }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Check User Permission
+        if: steps.checkAccess.outputs.require-result == 'false'
+        run: |
+          echo "${{ github.triggering_actor }} does not have permissions on this repo."
+          echo "Current permission level is ${{ steps.checkAccess.outputs.user-permission }}"
+          echo "Job originally triggered by ${{ github.actor }}"
+          exit 1
+
+      - name: Check out code
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+
+      - name: Run the tests
+        uses: ./
+        with:
+          api_key: ${{ secrets.TF_PUBLIC_API_KEY }}
+          tmt_plan_regex: "smoke_plan"
+          pull_request_status_name: "Smoke test - pull_request_target"
+          update_pull_request_status: "true"
+          create_issue_comment: "true"