ci: harden fork PR checks

strongkeep-debug · strongkeep-debug · commit 44bdb2d59299 · 2026-05-21T04:31:45.000-07:00
diff --git a/.github/workflows/api-schema-diff.yml b/.github/workflows/api-schema-diff.yml
@@ -140,7 +140,7 @@ jobs:
           cat api-diff-report.txt
 
       - name: Post diff to PR
-        if: always()
+        if: always() && (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository)
         uses: actions/github-script@v7
         with:
           script: |
diff --git a/.github/workflows/deploy-staging.yml b/.github/workflows/deploy-staging.yml
@@ -64,6 +64,7 @@ jobs:
   # ── 1. Deploy PR branch to staging EC2 ─────────────────────────────────────
   deploy:
     name: Deploy to staging EC2
+    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
     runs-on: ubuntu-latest
     timeout-minutes: 20
     environment:
diff --git a/.github/workflows/security-scan.yml b/.github/workflows/security-scan.yml
@@ -29,7 +29,7 @@ jobs:
           cache: pip
 
       - name: Install bandit
-        run: pip install bandit[toml]
+        run: pip install bandit[toml] bandit-sarif-formatter
 
       - name: Run Bandit
         run: |
@@ -41,6 +41,7 @@ jobs:
         continue-on-error: true
 
       - name: Upload Bandit SARIF
+        if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
         uses: github/codeql-action/upload-sarif@v3
         with:
           sarif_file: bandit-results.sarif
