Problem
The release_draft.yml workflow triggers on any push of a v* tag, regardless of which repository the tag is pushed to. When a contributor pushes a version tag to their fork, the workflow runs in their fork and fails at the "Login to Docker Hub" step because the required secrets (DOCKERHUB_USERNAME, DOCKERHUB_ACCESS_TOKEN, etc.) are not available in fork repositories.
Example: failed run in fork — failed at "Login to Docker Hub" due to missing secrets.
This wastes CI minutes, generates confusing failure notifications, and could cause unintended side effects if secrets were inadvertently configured in forks.
Recommended Fix
Add a repository check to the draft_release job in .github/workflows/release_draft.yml so the job only executes in the canonical repo:
jobs:
draft_release:
name: draft release
runs-on: ubuntu-latest
if: github.repository == 'DNSControl/dnscontrol'
permissions:This is a widely-used pattern (e.g., used by GoReleaser's own templates) that ensures release workflows only run in the primary repository, while still allowing the workflow file to exist in forks for syncing purposes.
Problem
The
release_draft.ymlworkflow triggers on any push of av*tag, regardless of which repository the tag is pushed to. When a contributor pushes a version tag to their fork, the workflow runs in their fork and fails at the "Login to Docker Hub" step because the required secrets (DOCKERHUB_USERNAME,DOCKERHUB_ACCESS_TOKEN, etc.) are not available in fork repositories.Example: failed run in fork — failed at "Login to Docker Hub" due to missing secrets.
This wastes CI minutes, generates confusing failure notifications, and could cause unintended side effects if secrets were inadvertently configured in forks.
Recommended Fix
Add a repository check to the
draft_releasejob in.github/workflows/release_draft.ymlso the job only executes in the canonical repo:This is a widely-used pattern (e.g., used by GoReleaser's own templates) that ensures release workflows only run in the primary repository, while still allowing the workflow file to exist in forks for syncing purposes.