From 8c765ebb867a2063ef21189882d68cef3e81067f Mon Sep 17 00:00:00 2001
From: Josh Soref <2119212+jsoref@users.noreply.github.com>
Date: Thu, 7 Mar 2024 15:26:02 -0500
Subject: [PATCH] Switch to running on pull requests

---
 .github/workflows/coverage.yaml | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/coverage.yaml b/.github/workflows/coverage.yaml
index f0a2ffb4b..f1a5527e2 100644
--- a/.github/workflows/coverage.yaml
+++ b/.github/workflows/coverage.yaml
@@ -1,6 +1,8 @@
 name: coverage
 
-on: [push]
+on:
+  # this allows for `contents: write` and `pull-requests: write` from forks
+  pull_request_target:
 
 # limit default permissions to just read-only checkouts
 permissions:
@@ -19,7 +21,8 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v3
         with:
-          ref: ${{ matrix.branch == 'main' && 'main' || '' }}
+          # for safety, `pull_request_target` changes the default checkout to be the target branch, so we have to request the merge (we're limited to `permissions: {contents: read}`, so this is ok)
+          ref: ${{ matrix.branch == 'main' && 'main' || (github.event.pull_request && format('refs/pull/{0}/merge', github.event.pull_request.number)) || '' }}
 
       - name: Bazel cache
         id: bazel-cache