fix: use pull_request_target to enable E2E tests for Dependabot PRs

[Copilot]

Dependabot PRs run with Dependabot-scoped secrets only and cannot access regular repository secrets under the pull_request event, causing the E2E job to always fail with E2E_RESOURCE_GROUP: Set E2E_RESOURCE_GROUP in environment or .env.

Change

Switch the E2E workflow trigger from pull_request to pull_request_target, which runs in the base-branch context and has full access to repository secrets even for Dependabot PRs. The checkout step is explicitly pinned to github.event.pull_request.head.sha so the actual PR code is tested rather than the base-branch code:

on:
  pull_request_target:
    branches: [main, dev]
    types: [opened, synchronize, reopened]

steps:
  - name: Checkout code
    uses: actions/checkout@v4
    with:
      ref: ${{ github.event.pull_request.head.sha }}

A job-level if guard is added to prevent the known pull_request_target security risk where arbitrary fork PRs could execute untrusted code with repository secrets. Only PRs from within the same repository or from dependabot[bot] are allowed to run:

if: |
  github.event_name != 'pull_request_target' ||
  github.event.pull_request.head.repo.full_name == github.repository ||
  github.actor == 'dependabot[bot]'

This allows Dependabot PRs and internal team PRs to run E2E tests with the required Azure credentials, while external fork PRs are skipped and never receive repository secrets.

[bcho]

we do want dependabot's PRs to run with e2e tests

[bcho]

@copilot please address latest comment

[Copilot]

we do want dependabot's PRs to run with e2e tests

Addressed in commit 2e69fbd. The fix changes the trigger from pull_request to pull_request_target. The pull_request_target event runs in the base-branch context and has full access to repository secrets (including E2E_RESOURCE_GROUP, AZURE_SUBSCRIPTION_ID, etc.) even for Dependabot PRs. The checkout step is explicitly pinned to github.event.pull_request.head.sha so the actual PR code is tested rather than the base-branch code.

[bcho]

@copilot does it allow ad-hoc users to run from their fork with our cred?

[bcho]

@copilot review latest comment

[Copilot]

@copilot does it allow ad-hoc users to run from their fork with our cred?

Yes — that was a real risk with the original pull_request_target approach. A malicious fork PR could have checked out and run arbitrary code with full repository secrets.

Fixed in c17cb79 by adding a job-level if guard:

if: |
  github.event_name != 'pull_request_target' ||
  github.event.pull_request.head.repo.full_name == github.repository ||
  github.actor == 'dependabot[bot]'

This means:

• workflow_dispatch / push tag triggers: always run (no restriction)
• pull_request_target: only runs for PRs from within this repository (team members) or from dependabot[bot] — external fork PRs are skipped and never receive secrets.