diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index d2abffca1f..a3210e06ed 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -11,6 +11,9 @@ on: - 'doc/**' - 'README.md' +env: + IS_PR_FROM_FORK: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name != github.repository }} + jobs: lint: name: Lint package @@ -40,6 +43,17 @@ jobs: - name: Run pre-commit checks run: GITGUARDIAN_API_KEY=${{ secrets.GITGUARDIAN_API_KEY }} pre-commit run --show-diff-on-failure --all-files + - name: debug + run: echo "IS_PR_FROM_FORK=$IS_PR_FROM_FORK" + + - name: debug2 + if: env.IS_PR_FROM_FORK == 'true' + run: echo "I am a fork" + + - name: debug3 + if: env.IS_PR_FROM_FORK == 'false' + run: echo "I am not a fork" + build: name: Build and Test runs-on: ${{ matrix.os }} @@ -113,6 +127,10 @@ jobs: fail_ci_if_error: false - name: Run functional tests + # For security reasons, secrets are not available when running tests for a pull request from a fork. This causes + # all functional tests to fail because GITGUARDIAN_API_KEY is not defined. To avoid this, skip this step if we + # were triggered by a pull request from a fork. + if: env.IS_PR_FROM_FORK == 'false' shell: bash run: | make functest GITGUARDIAN_API_KEY=${{ secrets.GITGUARDIAN_API_KEY }} GITGUARDIAN_API_URL=${{ secrets.GITGUARDIAN_API_URL }} @@ -165,6 +183,7 @@ jobs: with: fetch-depth: 0 - name: Scan commits for hardcoded secrets + if: env.IS_PR_FROM_FORK == 'false' uses: ./actions-unstable/secret env: GITHUB_PUSH_BEFORE_SHA: ${{ github.event.before }} @@ -184,6 +203,7 @@ jobs: with: fetch-depth: 0 - name: Scan commits for IaC vulnerabilities + if: env.IS_PR_FROM_FORK == 'false' uses: ./actions-unstable/iac with: args: .