infra: Revert comment-based trigger and use pull_request_target

This commit reverts a previous, non-functional attempt to run CI on forked PRs and replaces it with the correct, standard approach.

The previous commit introduced a system using a `/check` comment to trigger workflows. This approach was fundamentally flawed due to limitations in the GitHub API, which could not resolve commit SHAs or refs from a forked repository that do not exist in the base repository's history. This resulted in `HTTP 422` errors.

This commit removes that system entirely and implements the `pull_request_target` event trigger instead. This is the GitHub-recommended method for this scenario.

The new implementation:
1. Uses the `pull_request_target` event, which runs in the context of the base repository and has access to secrets.
2. Leverages the existing manual "Approve and run" security step for new contributors.
3. Explicitly checks out the contributor's code using `github.event.pull_request.head.sha`.
4. Removes the now-obsolete `pr-comment-trigger.yml` workflow and its associated documentation.

This solution is simpler, more robust, and correctly handles CI for external contributions.

Author: justinvdm

.github/workflows/playground-e2e-tests.yml

@@ -9,9 +9,8 @@ on:
       - ".notes/**"
       - "*.md"
       - "src/**/*.test.*"
-  pull_request:
-    branches:
-      - main
+  pull_request_target:
+    types: [opened, synchronize, reopened]
     paths-ignore:
       - "docs/**"
       - ".notes/**"
@@ -88,18 +87,6 @@ jobs:
             echo 'matrix={"include":[{"os":"ubuntu-latest","package-manager":"npm"}]}' >> $GITHUB_OUTPUT
           fi
 
-  e2e-tests-pending:
-    runs-on: ubuntu-latest
-    if: |
-      github.event_name == 'pull_request' &&
-      github.event.pull_request.head.repo.full_name != github.repository
-    steps:
-      - name: Report pending status
-        run: |
-          echo "E2E tests for this PR have not been run."
-          echo "A maintainer must comment '/check' to start them."
-          exit 1
-
   playground-e2e:
     needs: setup-matrix
     name: Playground E2E Test
@@ -127,13 +114,13 @@ jobs:
       github.event_name == 'push' ||
       github.event_name == 'schedule' ||
       github.event_name == 'workflow_dispatch' ||
-      (github.event.pull_request.head.repo.full_name == github.repository)
+      github.event_name == 'pull_request_target'
 
     steps:
       - name: Checkout repository
         uses: actions/checkout@v5
         with:
-          ref: ${{ github.event.inputs.ref || github.ref }}
+          ref: ${{ github.event.pull_request.head.sha || github.event.inputs.ref || github.ref }}
 
       - name: Enable Corepack
         run: corepack enable

.github/workflows/pr-comment-trigger.yml

@@ -9,9 +9,8 @@ on:
       - ".notes/**"
       - "*.md"
       - "src/**/*.test.*"
-  pull_request:
-    branches:
-      - main
+  pull_request_target:
+    types: [opened, synchronize, reopened]
     paths-ignore:
       - "docs/**"
       - ".notes/**"
@@ -86,17 +85,6 @@ jobs:
             echo 'matrix={"include":[{"os":"ubuntu-latest","package-manager":"npm"}]}' >> $GITHUB_OUTPUT
           fi
 
-  smoke-tests-pending:
-    runs-on: ubuntu-latest
-    if: |
-      github.event_name == 'pull_request' &&
-      github.event.pull_request.head.repo.full_name != github.repository
-    steps:
-      - name: Report pending status
-        run: |
-          echo "Smoke tests for this PR have not been run."
-          echo "A maintainer must comment '/check' to start them."
-          exit 1
   smoke-test:
     needs: setup-matrix
     name: Starter Smoke Test
@@ -122,13 +110,13 @@ jobs:
       github.event_name == 'push' ||
       github.event_name == 'schedule' ||
       github.event_name == 'workflow_dispatch' ||
-      (github.event.pull_request.head.repo.full_name == github.repository)
+      github.event_name == 'pull_request_target'
 
     steps:
       - name: Checkout repository
         uses: actions/checkout@v5
         with:
-          ref: ${{ github.event.inputs.ref || github.ref }}
+          ref: ${{ github.event.pull_request.head.sha || github.event.inputs.ref || github.sha }}
 
       - name: Enable Corepack
         run: corepack enable

.github/workflows/smoke-test.yml

@@ -518,22 +518,6 @@ export RWSDK_FORCE_FULL_SYNC=1
 npx rwsync --watch "npm run dev"
 ```
 
-## CI for External Contributions
-
-For security reasons, CI workflows that require secrets (e.g., Smoke and E2E tests) do not automatically run on pull requests from forks. This prevents malicious PRs from accessing sensitive credentials.
-
-When a PR is opened from a fork, the main test jobs are skipped. To prevent merging untested code, a separate status check will fail, indicating that the core tests are pending a maintainer's approval. This failing check is expected and blocks the PR from being merged until tests are run.
-
-To run the tests for an external PR, a core contributor must:
-
-1.  **Review the code** to ensure it's safe to execute.
-2.  Add a comment to the PR with the command:
-    ```
-    /check
-    ```
-
-This command triggers the full test suite. Only repository owners, members, and collaborators can use it.
-
 ## Releasing (for Core Contributors)
 
 Releases are managed by a series of automated GitHub Actions workflows that handle versioning, smoke testing, publishing to npm, and packaging of release artifacts for the SDK, starter, and addons.