ci: restrict specific workflows to the upstream repository

nimdrak · nimdrak · commit 148c2fc1bc4e · 2026-05-26T05:11:39.000Z
Many GitHub Actions workflows currently trigger on user forks, leading to
unnecessary CI resource consumption, unwanted bot behavior, and inevitable
failures. This commit restricts these specific workflows to only run on the
primary `containers/podman` repository.

The restricted workflows fall into two main categories:
1. Require Custom Upstream Secrets: Workflows like `release`, `mac-pkg`,
   `cherry-pick`, and `dev-bump` rely on secrets (e.g., Apple/Azure certs,
   PODMANBOT_TOKEN, ACTION_MAIL_*) that are unavailable in forks.
2. Manage Upstream Tracker State: Workflows like `assign`, `stale`, and
   `labeler` are intended strictly for managing the primary project's
   issues and PRs. Running them on personal forks creates unwanted noise.

Additionally, refactored several complex `if` conditions using YAML
multi-line strings (`|`) to maintain and improve readability.

Signed-off-by: Byounguk Lee &lt;nimdrak@gmail.com&gt;
diff --git a/.github/workflows/assign.yml b/.github/workflows/assign.yml
@@ -7,7 +7,10 @@ on:
 jobs:
   assign:
     # Only run on issue comments (not PR comments)
-    if: "!github.event.issue.pull_request && contains(github.event.comment.body, '/assign')"
+    if: |
+      !github.event.issue.pull_request &&
+      contains(github.event.comment.body, '/assign') &&
+      github.repository == 'containers/podman'
     runs-on: ubuntu-latest
     permissions:
       issues: write
diff --git a/.github/workflows/check_cirrus_cron.yml b/.github/workflows/check_cirrus_cron.yml
@@ -41,6 +41,7 @@ permissions:
 
 jobs:
     cron_failures:
+        if: github.repository == 'containers/podman'
         runs-on: ubuntu-latest
         steps:
             # This is where the scripts live
diff --git a/.github/workflows/cherry-pick.yml b/.github/workflows/cherry-pick.yml
@@ -11,7 +11,8 @@ jobs:
     if: |
       github.event_name == 'issue_comment' &&
       github.event.issue.pull_request &&
-      contains(github.event.comment.body, '/cherry-pick ')
+      contains(github.event.comment.body, '/cherry-pick ') &&
+      github.repository == 'containers/podman'
     runs-on: ubuntu-latest
     permissions:
       contents: write
@@ -194,7 +195,8 @@ jobs:
   cherry-pick-on-merge:
     if: |
       github.event_name == 'pull_request' &&
-      github.event.pull_request.merged == true
+      github.event.pull_request.merged == true &&
+      github.repository == 'containers/podman'
     runs-on: ubuntu-latest
     permissions:
       contents: write
diff --git a/.github/workflows/dev-bump.yml b/.github/workflows/dev-bump.yml
@@ -8,6 +8,7 @@ permissions: {}
 
 jobs:
   bump:
+    if: github.repository == 'containers/podman'
     name: Bump to -dev
     runs-on: ubuntu-latest
     permissions:
diff --git a/.github/workflows/first_contrib_cert_generator.yml b/.github/workflows/first_contrib_cert_generator.yml
@@ -22,7 +22,12 @@ jobs:
   screenshot_and_comment:
     # This job runs if the PR was merged or if it's a manual trigger.
     # The logic for first-time contributors is handled in a dedicated step below.
-    if: ${{ github.event_name == 'workflow_dispatch' || github.event.pull_request.merged == true }}
+    if: |
+     (
+       github.event_name == 'workflow_dispatch' ||
+       github.event.pull_request.merged == true
+     ) &&
+     github.repository == 'containers/podman'
     runs-on: ubuntu-latest
     permissions:
       contents: read  # Write access for certificate storage
diff --git a/.github/workflows/issue-labeler.yml b/.github/workflows/issue-labeler.yml
@@ -8,6 +8,7 @@ permissions:
 
 jobs:
   triage:
+    if: github.repository == 'containers/podman'
     permissions:
       contents: read  # for github/issue-labeler to get repo contents
       issues: write  # for github/issue-labeler to create or remove labels
diff --git a/.github/workflows/issue_pr_lock.yml b/.github/workflows/issue_pr_lock.yml
@@ -45,6 +45,7 @@ env:
 
 jobs:
   manage_locking:
+    if: github.repository == 'containers/podman'
     runs-on: ubuntu-latest
     permissions:
       issues: write
diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml
@@ -7,6 +7,7 @@ permissions: {}
 
 jobs:
   triage:
+    if: github.repository == 'containers/podman'
     permissions:
       contents: read
       pull-requests: write
diff --git a/.github/workflows/machine-os-pr.yml b/.github/workflows/machine-os-pr.yml
@@ -14,6 +14,7 @@ concurrency:
 
 jobs:
   podman-image-build-pr:
+    if: github.repository == 'containers/podman'
     name: Open PR on podman-machine-os
     runs-on: ubuntu-latest
     permissions:
diff --git a/.github/workflows/needs-info-labeler.yaml b/.github/workflows/needs-info-labeler.yaml
@@ -8,7 +8,9 @@ permissions: {}
 
 jobs:
   add-comment:
-    if: github.event.label.name == 'needs-info'
+    if: |
+      github.event.label.name == 'needs-info' &&
+      github.repository == 'containers/podman'
     runs-on: ubuntu-latest
     permissions:
       issues: write
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -21,6 +21,7 @@ permissions:
 
 jobs:
   check:
+    if: github.repository == 'containers/podman'
     name: Check
     runs-on: ubuntu-latest
     steps:
diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
@@ -12,7 +12,7 @@ permissions:
 
 jobs:
   stale:
-
+    if: github.repository == 'containers/podman'
     permissions:
       issues: write  # for actions/stale to close stale issues
       pull-requests: write  # for actions/stale to close stale PRs
diff --git a/.github/workflows/update-podmanio.yml b/.github/workflows/update-podmanio.yml
@@ -22,6 +22,7 @@ permissions: {}
 
 jobs:
   bump:
+    if: github.repository == 'containers/podman'
     name: Bump
     runs-on: ubuntu-24.04
     permissions:
