From 99c6287a671bf6c8b56a9f728909ec4133f84e0e Mon Sep 17 00:00:00 2001
From: wheatley <wheatand@gmail.com>
Date: Mon, 8 Nov 2021 09:32:12 +1000
Subject: [PATCH] MAINTAINABILITY: Added approval before code execution.
 (#2218)

---
 .github/workflows/github_actions.yml | 19 +++++++++++++++----
 1 file changed, 15 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/github_actions.yml b/.github/workflows/github_actions.yml
index 5fa294075..e2a908340 100644
--- a/.github/workflows/github_actions.yml
+++ b/.github/workflows/github_actions.yml
@@ -1,14 +1,22 @@
 name: 'BrowserStack Test'
 
-on: 
-  pull_request:
-    branches:
-      - master
+on:
+  pull_request_target:
+    branches: [ master ]
       
 jobs:
+  approve:
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Approve
+      run: echo For security reasons, all pull requests need to be approved first before running any automated CI.
+      
   ubuntu-job:
     name: 'BrowserStack Test on Ubuntu'
     runs-on: ubuntu-latest  # Can be self-hosted runner also
+    environment:
+      name: Integrate Pull Request
     env: 
       GITACTIONS: true
     steps:
@@ -27,6 +35,9 @@ jobs:
 
       - name: 'Checkout the repository'
         uses: actions/checkout@v2
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+          fetch-depth: 2
 
       - name: 'Setting up Ruby'
         uses: ruby/setup-ruby@v1