diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index d2abffca1f..62830aa6ad 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -11,6 +11,9 @@ on: - 'doc/**' - 'README.md' +env: + IS_PR_FROM_FORK: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name != github.repository }} + jobs: lint: name: Lint package @@ -40,6 +43,17 @@ jobs: - name: Run pre-commit checks run: GITGUARDIAN_API_KEY=${{ secrets.GITGUARDIAN_API_KEY }} pre-commit run --show-diff-on-failure --all-files + - name: debug + run: echo "IS_PR_FROM_FORK=$IS_PR_FROM_FORK" + + - name: debug2 + if: env.IS_PR_FROM_FORK == 'true' + run: echo "I am a fork" + + - name: debug3 + if: env.IS_PR_FROM_FORK == 'false' + run: echo "I am not a fork" + build: name: Build and Test runs-on: ${{ matrix.os }} @@ -113,6 +127,10 @@ jobs: fail_ci_if_error: false - name: Run functional tests + # For security reasons, secrets are not available when running tests for a pull request from a fork. This causes + # all functional tests to fail because GITGUARDIAN_API_KEY is not defined. To avoid this, skip this step if we + # were triggered by a pull request from a fork. + if: env.IS_PR_FROM_FORK == 'false' shell: bash run: | make functest GITGUARDIAN_API_KEY=${{ secrets.GITGUARDIAN_API_KEY }} GITGUARDIAN_API_URL=${{ secrets.GITGUARDIAN_API_URL }} @@ -159,6 +177,7 @@ jobs: test_github_secret_scan_action: name: Test GitHub action for `secret scan` runs-on: ubuntu-latest + if: ${{ !github.event.pull_request.head.repo.fork }} steps: - name: Checkout uses: actions/checkout@v2 @@ -178,6 +197,7 @@ jobs: test_github_iac_scan_action: name: Test GitHub action for `iac scan` runs-on: ubuntu-latest + if: ${{ !github.event.pull_request.head.repo.fork }} steps: - name: Checkout uses: actions/checkout@v2