Support workflow execution from forks of outside collaborators

[netomi]

Currently there is no way to specify the approval for running workflows of pull requests from outside collaborators.

There is no api available and it can only be modified via the Web UI. However, this is a setting that is security relevant and we should investigate how we can support that at least on organization level so that you could enforce that any PR from an outside collaborator needs approval before workflows are allowed to run.

[mbarbero]

note that there is an gh-enterprise wide settings for that

[netomi]

we should discuss if we force on enterprise level that workflows always require approval for any external contributor.

If a user provides PRs on a regular basis, he / she should be added as contributor to the project or elected as committer imho.

[mbarbero]

I agree. We would need to extensively communicate about the change though and explain how regular external contributors can be invited to the GH org via PMI.