From 33320bd38eaca6868acb687e2141459b862c7f29 Mon Sep 17 00:00:00 2001
From: Himself65 <himself65@outlook.com>
Date: Tue, 21 Mar 2023 08:46:31 -0500
Subject: [PATCH] ci: fix workflow secure in build.yml (#1644)

---
 .github/workflows/build.yml | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index f6631d53fb..e763c246eb 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -3,6 +3,9 @@ name: Build & Test
 on:
   pull_request_target:
     branches: [master]
+    types:
+      - labeled
+      - unlabeled
     paths-ignore:
       - '.husky'
       - '.vscode'
@@ -19,10 +22,13 @@ jobs:
   build:
     name: Build on Pull Request
     runs-on: ubuntu-latest
+    if: contains(github.event.pull_request.labels.*.name, 'safe to test')
     environment: development
 
     steps:
       - uses: actions/checkout@v3
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
       - name: Use Node.js LTS
         uses: actions/setup-node@v3
         with:
@@ -148,6 +154,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@v3
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
       - name: Use Node.js LTS
         uses: actions/setup-node@v3
         with: