Explicitly ban changes to workflow files from forked PRs

Changes to these files *can't* be tested in forked PRs, so we should explicitly block them with an error message to explain why.

PiperOrigin-RevId: 508701535

.github/README.md

@@ -71,6 +71,14 @@ is working as expected (that is, it will run all the staleness tests).
 The `regenerate_stale_files.sh` script is the central script responsible for all
 the re-generation of stale files.
 
+# Forked PRs
+
+Because we need secret access to run our tests, we use the `pull_request_target`
+event for PRs coming from forked repositories.  We do checkout the code from the
+PR's head, but the workflow files themselves are always fetched from the *base*
+branch (that is, the branch we're merging to).  Therefore, any changes to these
+files won't be tested, so we explicitly ban PRs that touch these files.
+
 # Caches
 
 We have a number of different caching strategies to help speed up tests.  These

.github/workflows/forked_pr_workflow_check.yml

@@ -0,0 +1,27 @@
+name: Forked PR workflow check
+
+# This workflow prevents modifications to our workflow files in PRs from forked
+# repositories.  Since tests in these PRs always use the workflows in the
+# *target* branch, modifications to these files can't be properly tested.
+
+on:
+  # safe presubmit
+  pull_request:
+    branches:
+      - main
+      - '[0-9]+.x'
+      # The 21.x branch still uses Kokoro
+      - '!21.x'
+      # For testing purposes so we can stage this on the `gha` branch.
+      - gha
+    paths:
+      - '.github/workflows/**'
+
+jobs:
+  check:
+    name: Check PR source
+    runs-on: ubuntu-latest
+    steps:
+      - run: >
+          ${{ github.event.pull_request.head.repo.full_name != 'protocolbuffers/protobuf' }} ||
+          (echo "This pull request is from an unsafe fork and isn't allowed to modify workflow files!" && exit 1)