We use the development model where developers can create PRs with feature branches that can be merged to master/main or a release branch when the required checks pass and reviewers aren’t too grumpy that day. With Jenkins, we have different on-site build boxes that have access to different things, one can deploy to production, the other is just there to do linter/phpcs checks and perhaps echo funny quotes from co-workers we collected over the years.
Obviously we only let pull requests run their jobs on the latter only, and reserve the production builders for merged code only, by blocking build agents on certain branch patterns using a complex Jenkins configuration that only admins can modify.
How do I replicate this with Actions? I want to say: if PR, then only run the build on runners with label X, so that untrusted code only able to run on a location that we control. The workflow file itself obviously cannot be trusted until it is merged, so specifying the runners there is not an option.
Is it somehow possible to separate concerns here depending on whether or not it is a PR, without everyone able to circumvent this by editing the workflow itself?