Add Sonar support for forked PRs

Author: danny-gallagher

.github/workflows/sonar.yml

@@ -4,10 +4,8 @@ name: Sonar
     branches:
       - main
   pull_request_target:
-    types:
-      - opened
-      - synchronize
-      - reopened
+    branches:
+      - main
   schedule:
     - cron: 0 16 * * *
 jobs:
@@ -18,6 +16,11 @@ jobs:
       - uses: actions/checkout@v2
         with:
           fetch-depth: 0
+      - name: Check for external PR
+        if: ${{ !(contains(github.event.pull_request.labels.*.name, 'safe') ||
+          github.event.pull_request.head.repo.full_name == github.repository ||
+          github.event_name != 'pull_request_target') }}
+        run: echo "Unsecure PR, must be labelled with the 'safe' label, then run the workflow again" && exit 1
       - name: Set up Python 3.8
         uses: actions/setup-python@v2
         with: