docs(ci): add docs for ci:trust command

docs/contributing/ci.md

@@ -0,0 +1,48 @@
+---
+name: Running Tests on Untrusted Forks
+sidebar_position: 99
+---
+
+# Running CI Scripts on Untrusted Forks
+
+Untrusted forks could contain malicious code to mine cryptocurrency, steal secrets, or otherwise harm the CI server. 
+
+For PRs from untrusted forks, to run the CI scripts, we need to:
+
+1. Review the code to ensure that it is safe to run on the CI server.
+2. If the code is safe, run the `ci:trust` script to push the commits to a branch on the main repository, where the CI scripts can be run.
+3. Once the tests have run, the status of the PR will be updated automatically (because the commits are the same).
+
+
+## How to run the CI scripts on untrusted forks:
+
+1. Copy the name of the branch from the PR.
+   <img src="./images/ci-copy-fork-branch.png" alt="ci-copy-fork-branch" width="400"/>
+2. From your local clone of the main repository, run the `ci:trust` script.
+    ```bash
+    yarn ci:trust <branch-name>
+    ```
+3. The branch will be pushed and the tests will run
+   <img src="./images/ci-tests-running.png" alt="ci-tests-running" width="400"/>
+
+
+## What does ci:trust do?
+
+The `ci:trust` script does the following:
+
+1. Adds and fetches the untrusted fork as a temporary remote in your local repository.
+2. Pushes the specific branch from the untrusted fork to a designated temporary branch in your original repository. 
+3. Pushing to a local branch triggers the continuous integration (CI) tests on the commits of the branch.
+4. Because the commits are the same, the status of the PR will be updated automatically.
+
+
+### Notes
+1. The ci:trust script will only work if you have write access to the main repository. This prevents malicious users from running the script on the main repository.
+2. The ci:trust script pushes the commits to a branch called `temp-branch-to-test-fork`.
+
+::: warning
+
+The `temp-branch-to-test-fork` branch will be deleted and recreated if it already exists. This allows the script to
+clean up its own temporary branches.  
+
+:::

scripts/git-push-fork-to-upstream-repo.sh

@@ -17,19 +17,19 @@ SOURCE_GH_USER=$(echo "$BRANCH_SPEC" | awk -F: '{print $1}')
 SOURCE_BRANCH=$(echo "$BRANCH_SPEC" | awk -F: '{print $2}')
 REPO_NAME=$(git remote get-url --push origin | awk -F/ '{print $NF}' | sed 's/\.git$//')
 
-# Check if 'fork-to-test' remote exists and then remove it
-if git config --get "remote.fork-to-test.url" > /dev/null; then
-    git remote remove fork-to-test
-    echo "Removed remote fork-to-test"
+# Check if 'temp-branch-to-test-fork' remote exists and then remove it
+if git config --get "remote.temp-branch-to-test-fork.url" > /dev/null; then
+    git remote remove temp-branch-to-test-fork
+    echo "Removed remote temp-branch-to-test-fork"
 else
-    echo "Remote fork-to-test does not exist, no need to remove it"
+    echo "Remote temp-branch-to-test-fork does not exist, no need to remove it"
 fi
 
-git remote add fork-to-test "[email protected]:$SOURCE_GH_USER/$REPO_NAME.git"
+git remote add temp-branch-to-test-fork "[email protected]:$SOURCE_GH_USER/$REPO_NAME.git"
 
 git fetch --all
-git push --force "$REACTOTRON_REPO" "refs/remotes/fork-to-test/$SOURCE_BRANCH:refs/heads/$GPF_REACTOTRON_BRANCH"
-git remote remove fork-to-test || echo "Removed new remote fork-to-test"
+git push --force "$REACTOTRON_REPO" "refs/remotes/temp-branch-to-test-fork/$SOURCE_BRANCH:refs/heads/$GPF_REACTOTRON_BRANCH"
+git remote remove temp-branch-to-test-fork || echo "Removed new remote temp-branch-to-test-fork"
 
 cat <<EOF
 Forked branch '$BRANCH_SPEC' has been pushed to branch '$GPF_REACTOTRON_BRANCH'