[2.29.x] Use pull_request_target to build PRs from forks

.github/workflows/ci.yml

@@ -5,7 +5,7 @@ on:
     branches:
       - master
       - '[0-9]+.[0-9]+.x'  # Patch branches like 2.10.x, 2.9.x
-  pull_request:
+  pull_request_target:
     branches:
       - master
       - '[0-9]+.[0-9]+.x'
@@ -27,7 +27,7 @@ env:
 jobs:
   # Incremental build for PRs
   incremental-build:
-    if: github.event_name == 'pull_request'
+    if: github.event_name == 'pull_request_target'
     runs-on: ubuntu-latest
     timeout-minutes: 180
     steps:
@@ -41,6 +41,7 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4
         with:
+          ref: ${{ github.event.pull_request.head.sha }}
           fetch-depth: 0  # Full history needed for incremental build
 
       - name: Set up JDK 17
@@ -77,7 +78,7 @@ jobs:
 
   # Full build for master/patch branches
   full-build:
-    if: github.event_name != 'pull_request'
+    if: github.event_name != 'pull_request_target'
     runs-on: ubuntu-latest
     timeout-minutes: 180
     steps:
@@ -98,21 +99,6 @@ jobs:
           distribution: 'temurin'
           cache: maven
 
-      - name: Configure Maven settings
-        uses: s4u/maven-settings-action@v3.0.0
-        with:
-          servers: |
-            [{
-              "id": "codice",
-              "username": "${{ github.actor }}",
-              "password": "${{ secrets.READ_PACKAGES }}"
-            },
-            {
-              "id": "connexta",
-              "username": "${{ github.actor }}",
-              "password": "${{ secrets.READ_PACKAGES }}"
-            }]
-
       - name: Full build (excluding itests)
         run: mvn clean install $MAVEN_CLI_OPTS -P !itests
 
@@ -133,7 +119,7 @@ jobs:
   # DDF Core integration tests (for PRs)
   integration-tests:
     needs: incremental-build
-    if: github.event_name == 'pull_request' && needs.incremental-build.result == 'success'
+    if: github.event_name == 'pull_request_target' && needs.incremental-build.result == 'success'
     runs-on: ubuntu-latest
     timeout-minutes: 60
     steps:
@@ -146,6 +132,8 @@ jobs:
 
       - name: Checkout
         uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
 
       - name: Set up JDK 17
         uses: actions/setup-java@v4
@@ -164,15 +152,17 @@ jobs:
             -pl distribution/test/itests/test-itests-ddf-core \
             -nsu
 
-  # OWASP Dependency Check
-  dependency-check:
-    needs: [incremental-build, full-build]
-    if: always() && (needs.incremental-build.result == 'success' || needs.full-build.result == 'success')
+  # OWASP Dependency Check (PRs)
+  dependency-check-pr:
+    needs: incremental-build
+    if: always() && needs.incremental-build.result == 'success'
     runs-on: ubuntu-latest
     timeout-minutes: 60
     steps:
       - name: Checkout
         uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
 
       - name: Set up JDK 17
         uses: actions/setup-java@v4
@@ -198,19 +188,10 @@ jobs:
 
       - name: OWASP Dependency Check
         run: |
-          if [ "${{ github.event_name }}" != "pull_request" ]; then
-            # Full scan with distribution for non-PR builds
-            mvn org.commonjava.maven.plugins:directory-maven-plugin:highest-basedir@directories \
-              dependency-check:aggregate $MAVEN_CLI_OPTS \
-              -q -pl '!distribution/docs' \
-              -P '!itests,owasp-dist'
-          else
-            # Incremental scan for PRs
-            mvn org.commonjava.maven.plugins:directory-maven-plugin:highest-basedir@directories \
-              dependency-check:aggregate $MAVEN_CLI_OPTS \
-              -q -pl '!distribution/docs' \
-              -P '!itests'
-          fi
+          mvn org.commonjava.maven.plugins:directory-maven-plugin:highest-basedir@directories \
+            dependency-check:aggregate $MAVEN_CLI_OPTS \
+            -q -pl '!distribution/docs' \
+            -P '!itests'
 
       - name: Upload dependency check report
         uses: actions/upload-artifact@v4
@@ -220,10 +201,49 @@ jobs:
           path: target/dependency-check-report.html
           retention-days: 30
 
+  # OWASP Dependency Check (master/patch branches)
+  dependency-check:
+    needs: full-build
+    if: always() && needs.full-build.result == 'success'
+    runs-on: ubuntu-latest
+    timeout-minutes: 60
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up JDK 17
+        uses: actions/setup-java@v4
+        with:
+          java-version: '17'
+          distribution: 'temurin'
+          cache: maven
+
+      - name: Configure Maven settings
+        uses: s4u/maven-settings-action@v3.0.0
+        with:
+          servers: |
+            [{
+              "id": "codice",
+              "username": "${{ github.actor }}",
+              "password": "${{ secrets.READ_PACKAGES }}"
+            },
+            {
+              "id": "connexta",
+              "username": "${{ github.actor }}",
+              "password": "${{ secrets.READ_PACKAGES }}"
+            }]
+
+      - name: OWASP Dependency Check
+        run: |
+          mvn org.commonjava.maven.plugins:directory-maven-plugin:highest-basedir@directories \
+            dependency-check:aggregate $MAVEN_CLI_OPTS \
+            -q -pl '!distribution/docs' \
+            -P '!itests,owasp-dist'
+
   # SonarCloud analysis (master only)
   sonarcloud:
     needs: full-build
-    if: github.ref == 'refs/heads/master' && github.event_name != 'pull_request'
+    if: github.ref == 'refs/heads/master' && github.event_name != 'pull_request_target'
     runs-on: ubuntu-latest
     timeout-minutes: 60
     steps:
@@ -262,7 +282,7 @@ jobs:
     needs: [full-build, dependency-check]
     if: |
       always() &&
-      github.event_name != 'pull_request' &&
+      github.event_name != 'pull_request_target' &&
       (github.ref == 'refs/heads/master' || contains(github.ref, '.x')) &&
       needs.full-build.result == 'success' &&
       needs.dependency-check.result == 'success'