chore: do not run functional tests on pull-requests forks

These tests fail because they need the GITGUARDIAN_API_KEY variable, but it's not available for pull-requests coming from forks. Fixes GitGuardian#374
agateau-gg · Feb 22, 2023 · 55b144f · 55b144f
1 parent f78e1b9
commit 55b144f
Showing 1 changed file with 20 additions and 0 deletions.
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -11,6 +11,9 @@ on:
       - 'doc/**'
       - 'README.md'
 
+env:
+  IS_PR_FROM_FORK: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name != github.repository }}
+
 jobs:
   lint:
     name: Lint package
@@ -40,6 +43,17 @@ jobs:
       - name: Run pre-commit checks
         run: GITGUARDIAN_API_KEY=${{ secrets.GITGUARDIAN_API_KEY }} pre-commit run --show-diff-on-failure --all-files
 
+      - name: debug
+        run: echo "IS_PR_FROM_FORK=$IS_PR_FROM_FORK"
+
+      - name: debug2
+        if: env.IS_PR_FROM_FORK == 'true'
+        run: echo "I am a fork"
+
+      - name: debug3
+        if: env.IS_PR_FROM_FORK == 'false'
+        run: echo "I am not a fork"
+
   build:
     name: Build and Test
     runs-on: ${{ matrix.os }}
@@ -113,6 +127,10 @@ jobs:
           fail_ci_if_error: false
 
       - name: Run functional tests
+        # For security reasons, secrets are not available when running tests for a pull request from a fork. This causes
+        # all functional tests to fail because GITGUARDIAN_API_KEY is not defined. To avoid this, skip this step if we
+        # were triggered by a pull request from a fork.
+        if: env.IS_PR_FROM_FORK == 'false'
         shell: bash
         run: |
           make functest GITGUARDIAN_API_KEY=${{ secrets.GITGUARDIAN_API_KEY }} GITGUARDIAN_API_URL=${{ secrets.GITGUARDIAN_API_URL }}
@@ -165,6 +183,7 @@ jobs:
         with:
           fetch-depth: 0
       - name: Scan commits for hardcoded secrets
+        if: env.IS_PR_FROM_FORK == 'false'
         uses: ./actions-unstable/secret
         env:
           GITHUB_PUSH_BEFORE_SHA: ${{ github.event.before }}
@@ -184,6 +203,7 @@ jobs:
         with:
           fetch-depth: 0
       - name: Scan commits for IaC vulnerabilities
+        if: env.IS_PR_FROM_FORK == 'false'
         uses: ./actions-unstable/iac
         with:
           args: .