From 8f9d2d5cd4344e6f1688929fa37158d5c2353bde Mon Sep 17 00:00:00 2001
From: Brandon <btreston@bitwarden.com>
Date: Wed, 18 Feb 2026 09:53:35 -0500
Subject: [PATCH] add check run workflow

---
 .github/workflows/build-target.yml | 49 ++++++++++++++++++++++++++++++
 .github/workflows/build.yml        |  4 +++
 2 files changed, 53 insertions(+)
 create mode 100644 .github/workflows/build-target.yml

diff --git a/.github/workflows/build-target.yml b/.github/workflows/build-target.yml
new file mode 100644
index 00000000..e3dc4c04
--- /dev/null
+++ b/.github/workflows/build-target.yml
@@ -0,0 +1,49 @@
+# This workflow is intended to be run when we need to build the client and produce artifacts
+# that require secrets when the PR source branch does not have access to secrets (e.g. a fork).
+# This workflow will run in the context of the target of the PR and have access to secrets.
+# This should only be done after reviewing the PR to ensure that no malicious code has been
+# introduced, as it could allow the code on the forked branch to have access to workflow secrets.
+
+name: Build on PR Target
+
+on:
+  pull_request_target:
+    types: [opened, synchronize, reopened]
+    branches:
+      - main
+    paths:
+      - 'src/**'
+      - 'src-cli/**'
+      - 'jslib/**'
+      - 'resources/**'
+      - 'scripts/**'
+      - 'package.json'
+      - 'package-lock.json'
+      - 'tsconfig.json'
+      - 'angular.json'
+      - '.github/workflows/build.yml'
+      - '!*.md'
+      - '!*.txt'
+
+defaults:
+  run:
+    shell: bash
+
+permissions: {}
+
+jobs:
+  check-run:
+    name: Check PR run
+    uses: bitwarden/gh-actions/.github/workflows/check-run.yml@main
+    permissions:
+      contents: read
+
+  run-workflow:
+    name: Run Build
+    needs: check-run
+    if: ${{ github.event.pull_request.head.repo.full_name != github.repository }}
+    uses: ./.github/workflows/build.yml
+    secrets: inherit
+    permissions:
+      contents: read
+      id-token: write
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index d46408c9..40cfe9d7 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -8,6 +8,10 @@ on:
       - "rc"
       - "hotfix-rc"
   workflow_dispatch: {}
+  workflow_call:
+    secrets:
+      Azure-KV-CI-Service-Principal:
+        required: true
 
 permissions:
   contents: read