From 437d00dde346bdd596ffe2686ec4ba67e01fde65 Mon Sep 17 00:00:00 2001
From: Silvan Mosberger <silvan.mosberger@tweag.io>
Date: Mon, 11 Sep 2023 14:02:06 +0200
Subject: [PATCH] workflows/check-by-name: Make runnable without approval

Co-Authored-By: zowoq <59103226+zowoq@users.noreply.github.com>
---
 .github/workflows/check-by-name.yml | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/check-by-name.yml b/.github/workflows/check-by-name.yml
index da39846df408..7a3598dbe2a4 100644
--- a/.github/workflows/check-by-name.yml
+++ b/.github/workflows/check-by-name.yml
@@ -3,8 +3,10 @@
 name: Check pkgs/by-name
 
 # The pre-built tool is fetched from a channel,
-# making it work predictable on all PRs
-on: pull_request
+# making it work predictable on all PRs.
+on:
+  # Using pull_request_target instead of pull_request avoids having to approve first time contributors
+  pull_request_target
 
 # The tool doesn't need any permissions, it only outputs success or not based on the checkout
 permissions: {}
@@ -16,6 +18,9 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
+        with:
+          # pull_request_target checks out the base branch by default
+          ref: refs/pull/${{ github.event.pull_request.number }}/merge
       - uses: cachix/install-nix-action@v23
       - name: Determining channel to use for dependencies
         run: |