fix: do not allow builds for prs

[howenyap]

Context

Build environment secrets can be leaked via malicious code on PRs

Implementation

Update vercel_ignore_build.sh to not build for PRs by default

Other Information

Aligned with @ravern

[greptile-apps]

PR author is not in the allowed authors list.

[vercel]

@howenyap is attempting to deploy a commit to the modsbot's projects Team on Vercel.

A member of the Team first needs to authorize it.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 56.42%. Comparing base (988c6fd) to head (7ffa084).
⚠️ Report is 220 commits behind head on master.

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #4374      +/-   ##
==========================================
+ Coverage   54.52%   56.42%   +1.90%     
==========================================
  Files         274      308      +34     
  Lines        6076     6963     +887     
  Branches     1455     1680     +225     
==========================================
+ Hits         3313     3929     +616     
- Misses       2763     3034     +271     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[jloh02]

@howenyap @ravern cmiiw but when we deploy with changes to the .sh, vercel warns us and let's us know of changes? how else might these secrets be leaked? if we ignore these by default, then we can merge PRs from forks without any preview which is unintended?

@nusmodifications/nusmods-developers maintainers please lmk your thoughts too, but if we merge this means CI passes without any previous by default

[howenyap]

@howenyap @ravern cmiiw but when we deploy with changes to the .sh, vercel warns us and let's us know of changes? how else might these secrets be leaked? if we ignore these by default, then we can merge PRs from forks without any preview which is unintended?

cmiiw but secrets can be leaked via changes in any code, not just in .sh

there is also the second gate where you have to authorise vercel for the build to actually happen, but the concern was that it could be a large PR and the review might've missed something

but at the end of the day you guys are the maintainers so I'll just leave it to you to decide, I raised this to ravern and sent a patch just for disclosure

[jloh02]

hmm that's a good point and it's true. that's a natural drawback of the preview environment. will discuss with the other maintainers on this. thanks for bringing it up!