Allow running forks with secrets

[rbs-jacob]

• I have reviewed the OFRAK contributor guide and attest that this pull request is in accordance with it.

One sentence summary of this PR (This should go in the CHANGELOG!)

Allow running GitHub Actions with secrets on external contributor forked PRs.

Link to Related Issue(s)

#338

Please describe the changes in your request.

This change makes actions on pull requests run in the context of the original repo, instead of the context of the fork. This gives the running PR code access to the secrets of the original repo. Since secrets are required for complete test coverage following #338, they will be need for the tests to run on PRs.

To mitigate the risk of users introducing malicious code to PRs to leak and exfiltrate secrets, I have changed the repo settings such that every PR from an external contributor must have the tests be manually run by someone with appropriate repo privileges. In any case, the only secrets are the NXP email and password, which aren't that secret, anyway.

Anyone you think should look at this, specifically?

@whyitfor @paulnoalhyt

[rbs-jacob]

Based on these links, I may also need to make sure it checks out the correct branch on the target PR when running the tests.

• https://stackoverflow.com/a/74959635
• https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
• https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target
• https://stackoverflow.com/q/67247752
• https://docs.github.com/en/actions/managing-workflow-runs/approving-workflow-runs-from-public-forks