Allow usage of secrets for PRs from forks

[khaeru]

For full requests from forks (e.g. #49), the "pytest" CI workflow currently fails. This is because it depends on secrets:

• GAMS_LICENSE for solving models.
• RTD_TOKEN_MESSAGE_DATA for retrieving the Intersphinx inventory. Missing this secret, however, only causes warnings, not a fatal error.

GitHub does not pass secrets to PRs from forks. This is because any malicious third party could fork, write code that 'steals' the secret, and open a PR; then the automatically-triggered workflow would activate the malicious code.

It is possible (we're not sure) that we could work around this using GitHub's environments feature. The idea is that, for each environment, we can set a maintainer (i.e. member of @iiasa/messageix-devs) who must give approval before particular workflows will run. Secrets can be stored within an environment (rather than for the repo as a whole).

To resolve this issue, investigate and, if viable, implement this solution.

Current workarounds:

• Core team members should make PRs from branches in this repo, rather than forks.
• For other PRs made from forks, use admin override to merge.

[khaeru]

We may also implement the same approach for message_data, although the concerns are less there because it is a private repository and we control who has access/is able to fork and open PRs.

[khaeru]

Sorry, maybe this is a duplicate of #21.

[jkikstra]

Thanks for opening this. Just commenting here to share that we've had a similar experience with another repository (climate assessment) with secrets, where we did not find a good solution (within time constraints), and just continued working using a branching workflow.
So I'll keep an eye out to see how you progress on this.