Github actions don't run on PRs from forks

[lognaturel]

A PR from @ktuite on this repo ran 7 checks including Github actions: 2e76ed0

A PR from @alxndrsn on his fork only ran the build step in CircleCI: 54f10ce

Ideally all checks would run for forks of members of the organization and would require authorization for folks coming from outside the organization. That's how our other repos are set up.

[alxndrsn]

What's the concern here?

There are a few other things we should probably also be considering for actions security. The default permissions seem quite permissive:

[alxndrsn]

Further reading: https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions

[alxndrsn]

I think this PR to restrict access to GITHUB_TOKEN from jobs would be helpful:

https://github.com/getodk/central-backend/compare/master...alxndrsn:actions-minimal-permissions?expand=1

Edit to add: these permissions may only take effect once the PR is merged 😆 I suspect we will need contents: read.

[lognaturel]

Made this as as a placeholder and hadn't had a chance to come back! The goal is for all checks including github actions to run for PRs made on the forks of contributors to the organization (e.g. @alxndrsn). Running checks for PRs from forks of contributors outside the org should require maintainer approval (at least the first time for each individual) -- https://docs.github.com/en/actions/managing-workflow-runs-and-deployments/managing-workflow-runs/approving-workflow-runs-from-public-forks