CI: don't run secret-requiring CI jobs on pull requests from forks

This commit is contained in:
Dilum Aluthge 2023-01-27 22:36:37 -05:00
parent 9fbc246995
commit 794084c865

View file

@ -7,6 +7,17 @@ jobs:
matrix: matrix:
os: [ ubuntu-latest, macOS-latest, windows-latest ] os: [ ubuntu-latest, macOS-latest, windows-latest ]
runs-on: ${{ matrix.os }} runs-on: ${{ matrix.os }}
# This job requires some GitHub Secrets. For security reasons, GitHub Secrets are not available
# if the pull request was made from a fork. Therefore, we only run this job if either of the
# following are true:
# 1. This is not a pull request.
# 2. This is a pull request, and the pull request was NOT made from a fork.
# In particular, we do NOT run this job if this is a pull request, and the pull request WAS
# made from a fork.
#
# The `(github.event_name != 'pull_request')` means "if this isn't a pull request".
# The `(github.repository == github.event.pull_request.head.repo.full_name)` means "the pull request is NOT made from a fork".
if: (github.event_name != 'pull_request') || (github.repository == github.event.pull_request.head.repo.full_name)
steps: steps:
- uses: actions/checkout@v3 - uses: actions/checkout@v3
- name: Setup key - name: Setup key
@ -27,6 +38,17 @@ jobs:
runs-on: ubuntu-latest runs-on: ubuntu-latest
container: container:
image: ubuntu:latest image: ubuntu:latest
# This job requires some GitHub Secrets. For security reasons, GitHub Secrets are not available
# if the pull request was made from a fork. Therefore, we only run this job if either of the
# following are true:
# 1. This is not a pull request.
# 2. This is a pull request, and the pull request was NOT made from a fork.
# In particular, we do NOT run this job if this is a pull request, and the pull request WAS
# made from a fork.
#
# The `(github.event_name != 'pull_request')` means "if this isn't a pull request".
# The `(github.repository == github.event.pull_request.head.repo.full_name)` means "the pull request is NOT made from a fork".
if: (github.event_name != 'pull_request') || (github.repository == github.event.pull_request.head.repo.full_name)
steps: steps:
- uses: actions/checkout@v3 - uses: actions/checkout@v3
- run: apt update && apt install -y openssh-client git - run: apt update && apt install -y openssh-client git
@ -43,4 +65,3 @@ jobs:
git clone https://github.com/mpdude/test-2.git test-2-http git clone https://github.com/mpdude/test-2.git test-2-http
git clone git@github.com:mpdude/test-2.git test-2-git git clone git@github.com:mpdude/test-2.git test-2-git
git clone ssh://git@github.com/mpdude/test-2.git test-2-git-ssh git clone ssh://git@github.com/mpdude/test-2.git test-2-git-ssh