From e985a07c18391e9004141b456e03b73a9688b314 Mon Sep 17 00:00:00 2001
From: Matt Bishop <mbishop@bitwarden.com>
Date: Fri, 1 Mar 2024 17:06:03 -0500
Subject: [PATCH 01/13] Workflow for PR run checks to manage secret usage

---
 .github/workflows/check-run.yml | 20 ++++++++++++++++++++
 .github/workflows/scan.yml      |  7 +++++++
 2 files changed, 27 insertions(+)
 create mode 100644 .github/workflows/check-run.yml

diff --git a/.github/workflows/check-run.yml b/.github/workflows/check-run.yml
new file mode 100644
index 0000000..82f0892
--- /dev/null
+++ b/.github/workflows/check-run.yml
@@ -0,0 +1,20 @@
+name: Check PR run
+
+on:
+  pull_request_target:
+    types: [opened, synchronize]
+  workflow_call:
+
+permissions: read-all
+
+jobs:
+  check:
+    name: Check
+    runs-on: ubuntu-22.04
+
+    steps:
+      - name: Check access
+        if: ${{ github.event.pull_request.author_association != 'COLLABORATOR' && github.event.pull_request.author_association != 'OWNER' }}
+        run: |
+          echo "Event not triggered by a collaborator."
+          exit 1
diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml
index fa1141f..9882270 100644
--- a/.github/workflows/scan.yml
+++ b/.github/workflows/scan.yml
@@ -12,9 +12,15 @@ on:
 permissions: read-all
 
 jobs:
+  check-run:
+    name: Check PR run
+    if: github.event_name == 'pull_request'
+    uses: ./.github/workflows/check-run.yml
+
   sast:
     name: SAST scan
     runs-on: ubuntu-22.04
+    needs: check-run
     permissions:
       security-events: write
 
@@ -42,6 +48,7 @@ jobs:
   quality:
     name: Quality scan
     runs-on: ubuntu-22.04
+    needs: check-run
 
     steps:
       - name: Check out repo

From 87904eedd9a123e297fbf54d2c5db655ef0fbe39 Mon Sep 17 00:00:00 2001
From: Matt Bishop <mbishop@bitwarden.com>
Date: Mon, 4 Mar 2024 13:42:16 -0500
Subject: [PATCH 02/13] Use full permission check

---
 .github/workflows/check-run.yml | 17 ++++++++++++++---
 1 file changed, 14 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/check-run.yml b/.github/workflows/check-run.yml
index 82f0892..cdd63fe 100644
--- a/.github/workflows/check-run.yml
+++ b/.github/workflows/check-run.yml
@@ -13,8 +13,19 @@ jobs:
     runs-on: ubuntu-22.04
 
     steps:
-      - name: Check access
-        if: ${{ github.event.pull_request.author_association != 'COLLABORATOR' && github.event.pull_request.author_association != 'OWNER' }}
+      - name: Get user permission
+        id: get-permission
+        uses: actions-cool/check-user-permission@956b2e73cdfe3bcb819bb7225e490cb3b18fd76e # v2.2.1
+        with:
+          require: write
+          username: ${{ github.triggering_actor }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Check user permission
+        if: steps.get-permission.outputs.require-result == 'false'
         run: |
-          echo "Event not triggered by a collaborator."
+          echo "User ${{ github.triggering_actor }} does not have the necessary access for this repository."
+          echo "Current permission level is ${{ steps.get-permission.outputs.user-permission }}."
+          echo "Job originally triggered by ${{ github.actor }}."
           exit 1

From 4e4b12e34dff96b6c2e85ea565bfd240ab69585c Mon Sep 17 00:00:00 2001
From: Matt Bishop <mbishop@bitwarden.com>
Date: Tue, 5 Mar 2024 10:15:33 -0500
Subject: [PATCH 03/13] Make check-run only for workflow calls and scan on
 targets

---
 .github/workflows/check-run.yml | 2 --
 .github/workflows/scan.yml      | 6 +++++-
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/check-run.yml b/.github/workflows/check-run.yml
index cdd63fe..8f0a63d 100644
--- a/.github/workflows/check-run.yml
+++ b/.github/workflows/check-run.yml
@@ -1,8 +1,6 @@
 name: Check PR run
 
 on:
-  pull_request_target:
-    types: [opened, synchronize]
   workflow_call:
 
 permissions: read-all
diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml
index 9882270..da437c2 100644
--- a/.github/workflows/scan.yml
+++ b/.github/workflows/scan.yml
@@ -7,7 +7,8 @@ on:
       - "main"
       - "rc"
       - "hotfix-rc"
-  pull_request:
+  pull_request_target:
+    types: [opened, synchronize]
 
 permissions: read-all
 
@@ -27,6 +28,8 @@ jobs:
     steps:
       - name: Check out repo
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          ref: ${{  github.event.pull_request.head.sha }}
 
       - name: Scan with Checkmarx
         uses: checkmarx/ast-github-action@749fec53e0db0f6404a97e2e0807c3e80e3583a7 #2.0.23
@@ -55,6 +58,7 @@ jobs:
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
         with:
           fetch-depth: 0
+          ref: ${{  github.event.pull_request.head.sha }}
 
       - name: Scan with SonarCloud
         uses: sonarsource/sonarcloud-github-action@49e6cd3b187936a73b8280d59ffd9da69df63ec9 # v2.1.1

From 22beae5166f7a615224d02d27856723bc1961896 Mon Sep 17 00:00:00 2001
From: Matt Bishop <mbishop@bitwarden.com>
Date: Tue, 5 Mar 2024 10:26:12 -0500
Subject: [PATCH 04/13] Check target

---
 .github/workflows/scan.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml
index da437c2..bcceb17 100644
--- a/.github/workflows/scan.yml
+++ b/.github/workflows/scan.yml
@@ -15,7 +15,7 @@ permissions: read-all
 jobs:
   check-run:
     name: Check PR run
-    if: github.event_name == 'pull_request'
+    if: github.event_name == 'pull_request_target'
     uses: ./.github/workflows/check-run.yml
 
   sast:

From a0ef2a1fb83515175432f77036d226fdbed63202 Mon Sep 17 00:00:00 2001
From: Matt Bishop <mbishop@bitwarden.com>
Date: Tue, 5 Mar 2024 10:27:30 -0500
Subject: [PATCH 05/13] Preliminary needs

---
 .github/workflows/check-run.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/check-run.yml b/.github/workflows/check-run.yml
index 8f0a63d..14894f1 100644
--- a/.github/workflows/check-run.yml
+++ b/.github/workflows/check-run.yml
@@ -2,6 +2,8 @@ name: Check PR run
 
 on:
   workflow_call:
+  pull_request_target:
+    types: [opened, synchronize]
 
 permissions: read-all
 

From ca2da450dd9eae201a2fcf51eeed4822d861e7a1 Mon Sep 17 00:00:00 2001
From: Matt Bishop <mbishop@bitwarden.com>
Date: Tue, 5 Mar 2024 11:32:48 -0500
Subject: [PATCH 06/13] Keep target removed

---
 .github/workflows/check-run.yml | 2 --
 1 file changed, 2 deletions(-)

diff --git a/.github/workflows/check-run.yml b/.github/workflows/check-run.yml
index 14894f1..8f0a63d 100644
--- a/.github/workflows/check-run.yml
+++ b/.github/workflows/check-run.yml
@@ -2,8 +2,6 @@ name: Check PR run
 
 on:
   workflow_call:
-  pull_request_target:
-    types: [opened, synchronize]
 
 permissions: read-all
 

From 24c4e282f036107c3135afbcffb3ce5d65531886 Mon Sep 17 00:00:00 2001
From: Matt Bishop <mbishop@bitwarden.com>
Date: Tue, 5 Mar 2024 11:33:06 -0500
Subject: [PATCH 07/13] Temporarily open up

---
 .github/workflows/scan.yml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml
index bcceb17..80839cb 100644
--- a/.github/workflows/scan.yml
+++ b/.github/workflows/scan.yml
@@ -8,7 +8,6 @@ on:
       - "rc"
       - "hotfix-rc"
   pull_request_target:
-    types: [opened, synchronize]
 
 permissions: read-all
 

From 65a9560c9aec63beb787f0875e14c12931a13b19 Mon Sep 17 00:00:00 2001
From: Matt Bishop <mbishop@bitwarden.com>
Date: Tue, 5 Mar 2024 11:34:39 -0500
Subject: [PATCH 08/13] Revert "Temporarily open up"

This reverts commit 24c4e282f036107c3135afbcffb3ce5d65531886.
---
 .github/workflows/scan.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml
index 80839cb..bcceb17 100644
--- a/.github/workflows/scan.yml
+++ b/.github/workflows/scan.yml
@@ -8,6 +8,7 @@ on:
       - "rc"
       - "hotfix-rc"
   pull_request_target:
+    types: [opened, synchronize]
 
 permissions: read-all
 

From b02a21e69c062f130548f761d79f5f14a142c15d Mon Sep 17 00:00:00 2001
From: Matt Bishop <mbishop@bitwarden.com>
Date: Tue, 5 Mar 2024 11:35:23 -0500
Subject: [PATCH 09/13] Always run check

---
 .github/workflows/scan.yml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml
index bcceb17..357ea6b 100644
--- a/.github/workflows/scan.yml
+++ b/.github/workflows/scan.yml
@@ -15,7 +15,6 @@ permissions: read-all
 jobs:
   check-run:
     name: Check PR run
-    if: github.event_name == 'pull_request_target'
     uses: ./.github/workflows/check-run.yml
 
   sast:

From 13efe895cedcee00e74f618adb49581f018d1831 Mon Sep 17 00:00:00 2001
From: Matt Bishop <mbishop@bitwarden.com>
Date: Tue, 5 Mar 2024 14:23:06 -0500
Subject: [PATCH 10/13] Allow PRs again, and check only on targets

---
 .github/workflows/scan.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml
index 357ea6b..aca9a1b 100644
--- a/.github/workflows/scan.yml
+++ b/.github/workflows/scan.yml
@@ -7,6 +7,7 @@ on:
       - "main"
       - "rc"
       - "hotfix-rc"
+  pull_request:
   pull_request_target:
     types: [opened, synchronize]
 
@@ -15,6 +16,7 @@ permissions: read-all
 jobs:
   check-run:
     name: Check PR run
+    if: github.event_name == 'pull_request_target'
     uses: ./.github/workflows/check-run.yml
 
   sast:

From 92b5cba32af2c7bca271201174c4e3b38966860c Mon Sep 17 00:00:00 2001
From: Matt Bishop <mbishop@bitwarden.com>
Date: Tue, 5 Mar 2024 14:25:26 -0500
Subject: [PATCH 11/13] Incremental for both PR events

---
 .github/workflows/scan.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml
index aca9a1b..9334d1d 100644
--- a/.github/workflows/scan.yml
+++ b/.github/workflows/scan.yml
@@ -35,7 +35,7 @@ jobs:
       - name: Scan with Checkmarx
         uses: checkmarx/ast-github-action@749fec53e0db0f6404a97e2e0807c3e80e3583a7 #2.0.23
         env:
-          INCREMENTAL: "${{ github.event_name == 'pull_request' && '--sast-incremental' || '' }}"
+          INCREMENTAL: "${{ contains(github.event_name, 'pull_request') && '--sast-incremental' || '' }}"
         with:
           project_name: ${{ github.repository }}
           cx_tenant: ${{ secrets.CHECKMARX_TENANT }}

From 015e17913d35d7ab895fd3c6b7e776f877186e53 Mon Sep 17 00:00:00 2001
From: Matt Bishop <mbishop@bitwarden.com>
Date: Tue, 5 Mar 2024 14:26:28 -0500
Subject: [PATCH 12/13] Do not skip

---
 .github/workflows/scan.yml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml
index 9334d1d..b143124 100644
--- a/.github/workflows/scan.yml
+++ b/.github/workflows/scan.yml
@@ -16,7 +16,6 @@ permissions: read-all
 jobs:
   check-run:
     name: Check PR run
-    if: github.event_name == 'pull_request_target'
     uses: ./.github/workflows/check-run.yml
 
   sast:

From f634c62cf0809db7f1acd515786528f462120e7c Mon Sep 17 00:00:00 2001
From: Matt Bishop <mbishop@bitwarden.com>
Date: Fri, 8 Mar 2024 08:19:45 -0500
Subject: [PATCH 13/13] Removal for final testing post-merge

---
 .github/workflows/scan.yml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml
index b143124..2bc5a6c 100644
--- a/.github/workflows/scan.yml
+++ b/.github/workflows/scan.yml
@@ -7,7 +7,6 @@ on:
       - "main"
       - "rc"
       - "hotfix-rc"
-  pull_request:
   pull_request_target:
     types: [opened, synchronize]