add required secrets for check run

.github/workflows/build-target.yml

@@ -0,0 +1,49 @@
+# This workflow is intended to be run when we need to build the client and produce artifacts
+# that require secrets when the PR source branch does not have access to secrets (e.g. a fork).
+# This workflow will run in the context of the target of the PR and have access to secrets.
+# This should only be done after reviewing the PR to ensure that no malicious code has been
+# introduced, as it could allow the code on the forked branch to have access to workflow secrets.
+
+name: Build on PR Target
+
+on:
+  pull_request_target:
+    types: [opened, synchronize, reopened]
+    branches:
+      - main
+    paths:
+      - 'src/**'
+      - 'src-cli/**'
+      - 'jslib/**'
+      - 'resources/**'
+      - 'scripts/**'
+      - 'package.json'
+      - 'package-lock.json'
+      - 'tsconfig.json'
+      - 'angular.json'
+      - '.github/workflows/build.yml'
+      - '!*.md'
+      - '!*.txt'
+
+defaults:
+  run:
+    shell: bash
+
+permissions: {}
+
+jobs:
+  check-run:
+    name: Check PR run
+    uses: bitwarden/gh-actions/.github/workflows/check-run.yml@main
+    permissions:
+      contents: read
+
+  run-workflow:
+    name: Run Build
+    needs: check-run
+    if: ${{ github.event.pull_request.head.repo.full_name != github.repository }}
+    uses: ./.github/workflows/build.yml
+    secrets: inherit
+    permissions:
+      contents: read
+      id-token: write

.github/workflows/build.yml

@@ -8,6 +8,16 @@ on:
       - "rc"
       - "hotfix-rc"
   workflow_dispatch: {}
+  workflow_call:
+    secrets:
+      Azure-KV-CI-Service-Principal:
+        required: true
+      AZURE_SUBSCRIPTION_ID:
+        required: true
+      AZURE_TENANT_ID:
+        required: true
+      AZURE_CLIENT_ID:
+        required: true
 
 permissions:
   contents: read