From 7fc96b5511d48f6467c7c4bb56186c62f2a99549 Mon Sep 17 00:00:00 2001
From: Byounguk Lee <nimdrak@gmail.com>
Date: Mon, 25 May 2026 11:20:54 +0000
Subject: [PATCH] ci: restrict specific workflows to the upstream repository

Many GitHub Actions workflows currently trigger on user forks, leading to
unnecessary CI resource consumption, unwanted bot behavior, and inevitable
failures. This commit restricts these specific workflows to only run on the
primary `containers/podman` repository.

The restricted workflows fall into two main categories:
1. Require Custom Upstream Secrets: Workflows like `release`, `mac-pkg`,
   `cherry-pick`, and `dev-bump` rely on secrets (e.g., Apple/Azure certs,
   PODMANBOT_TOKEN, ACTION_MAIL_*) that are unavailable in forks.
2. Manage Upstream Tracker State: Workflows like `assign`, `stale`, and
   `labeler` are intended strictly for managing the primary project's
   issues and PRs. Running them on personal forks creates unwanted noise.

Additionally, refactored several complex `if` conditions using YAML
multi-line strings (`|`) to maintain and improve readability.

Signed-off-by: Byounguk Lee <nimdrak@gmail.com>
---
 .github/workflows/assign.yml                       |  5 ++++-
 .github/workflows/cherry-pick.yml                  |  6 ++++--
 .github/workflows/dev-bump.yml                     |  1 +
 .github/workflows/first_contrib_cert_generator.yml |  7 ++++++-
 .github/workflows/issue-labeler.yml                |  1 +
 .github/workflows/issue_pr_lock.yml                |  1 +
 .github/workflows/labeler.yml                      |  1 +
 .github/workflows/machine-os-pr.yml                |  1 +
 .github/workflows/needs-info-labeler.yaml          |  4 +++-
 .github/workflows/release-pipeline-validation.yml  | 13 ++++++++++---
 .github/workflows/release.yml                      |  1 +
 .github/workflows/stale.yml                        |  2 +-
 .github/workflows/update-podmanio.yml              |  1 +
 13 files changed, 35 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/assign.yml b/.github/workflows/assign.yml
index 3ed6bf4fbab..ac24417653f 100644
--- a/.github/workflows/assign.yml
+++ b/.github/workflows/assign.yml
@@ -7,7 +7,10 @@ on:
 jobs:
   assign:
     # Only run on issue comments (not PR comments)
-    if: "!github.event.issue.pull_request && contains(github.event.comment.body, '/assign')"
+    if: |
+      !github.event.issue.pull_request &&
+      contains(github.event.comment.body, '/assign') &&
+      github.repository == 'podman-container-tools/podman'
     runs-on: ubuntu-latest
     permissions:
       issues: write
diff --git a/.github/workflows/cherry-pick.yml b/.github/workflows/cherry-pick.yml
index 0ca64a883cc..e29ec04b0ae 100644
--- a/.github/workflows/cherry-pick.yml
+++ b/.github/workflows/cherry-pick.yml
@@ -11,7 +11,8 @@ jobs:
     if: |
       github.event_name == 'issue_comment' &&
       github.event.issue.pull_request &&
-      contains(github.event.comment.body, '/cherry-pick ')
+      contains(github.event.comment.body, '/cherry-pick ') &&
+      github.repository == 'podman-container-tools/podman'
     runs-on: ubuntu-latest
     permissions:
       contents: write
@@ -194,7 +195,8 @@ jobs:
   cherry-pick-on-merge:
     if: |
       github.event_name == 'pull_request' &&
-      github.event.pull_request.merged == true
+      github.event.pull_request.merged == true &&
+      github.repository == 'podman-container-tools/podman'
     runs-on: ubuntu-latest
     permissions:
       contents: write
diff --git a/.github/workflows/dev-bump.yml b/.github/workflows/dev-bump.yml
index 7fa25c62dec..89967809d0a 100644
--- a/.github/workflows/dev-bump.yml
+++ b/.github/workflows/dev-bump.yml
@@ -8,6 +8,7 @@ permissions: {}
 
 jobs:
   bump:
+    if: github.repository == 'podman-container-tools/podman'
     name: Bump to -dev
     runs-on: ubuntu-latest
     permissions:
diff --git a/.github/workflows/first_contrib_cert_generator.yml b/.github/workflows/first_contrib_cert_generator.yml
index c39d1fc2b85..a22ee4420b4 100644
--- a/.github/workflows/first_contrib_cert_generator.yml
+++ b/.github/workflows/first_contrib_cert_generator.yml
@@ -22,7 +22,12 @@ jobs:
   screenshot_and_comment:
     # This job runs if the PR was merged or if it's a manual trigger.
     # The logic for first-time contributors is handled in a dedicated step below.
-    if: ${{ github.event_name == 'workflow_dispatch' || github.event.pull_request.merged == true }}
+    if: |
+     (
+       github.event_name == 'workflow_dispatch' ||
+       github.event.pull_request.merged == true
+     ) &&
+     github.repository == 'podman-container-tools/podman'
     runs-on: ubuntu-latest
     permissions:
       contents: read  # Write access for certificate storage
diff --git a/.github/workflows/issue-labeler.yml b/.github/workflows/issue-labeler.yml
index 12f2a59576a..895527e863e 100644
--- a/.github/workflows/issue-labeler.yml
+++ b/.github/workflows/issue-labeler.yml
@@ -8,6 +8,7 @@ permissions:
 
 jobs:
   triage:
+    if: github.repository == 'podman-container-tools/podman'
     permissions:
       contents: read  # for github/issue-labeler to get repo contents
       issues: write  # for github/issue-labeler to create or remove labels
diff --git a/.github/workflows/issue_pr_lock.yml b/.github/workflows/issue_pr_lock.yml
index 303eb48a07e..b379bd8339d 100644
--- a/.github/workflows/issue_pr_lock.yml
+++ b/.github/workflows/issue_pr_lock.yml
@@ -45,6 +45,7 @@ env:
 
 jobs:
   manage_locking:
+    if: github.repository == 'podman-container-tools/podman'
     runs-on: ubuntu-latest
     permissions:
       issues: write
diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml
index 8d3f141f303..22d7cba6273 100644
--- a/.github/workflows/labeler.yml
+++ b/.github/workflows/labeler.yml
@@ -7,6 +7,7 @@ permissions: {}
 
 jobs:
   triage:
+    if: github.repository == 'podman-container-tools/podman'
     permissions:
       contents: read
       pull-requests: write
diff --git a/.github/workflows/machine-os-pr.yml b/.github/workflows/machine-os-pr.yml
index ee389e736ff..d8767a455d7 100644
--- a/.github/workflows/machine-os-pr.yml
+++ b/.github/workflows/machine-os-pr.yml
@@ -14,6 +14,7 @@ concurrency:
 
 jobs:
   podman-image-build-pr:
+    if: github.repository == 'podman-container-tools/podman'
     name: Open PR on podman-machine-os
     runs-on: ubuntu-latest
     permissions:
diff --git a/.github/workflows/needs-info-labeler.yaml b/.github/workflows/needs-info-labeler.yaml
index aa048b27f50..da4236686bd 100644
--- a/.github/workflows/needs-info-labeler.yaml
+++ b/.github/workflows/needs-info-labeler.yaml
@@ -8,7 +8,9 @@ permissions: {}
 
 jobs:
   add-comment:
-    if: github.event.label.name == 'needs-info'
+    if: |
+      github.event.label.name == 'needs-info' &&
+      github.repository == 'podman-container-tools/podman'
     runs-on: ubuntu-latest
     permissions:
       issues: write
diff --git a/.github/workflows/release-pipeline-validation.yml b/.github/workflows/release-pipeline-validation.yml
index 7a1b9e22601..19553d4642c 100644
--- a/.github/workflows/release-pipeline-validation.yml
+++ b/.github/workflows/release-pipeline-validation.yml
@@ -17,7 +17,9 @@ jobs:
   get-latest-release:
     name: Get branch for latest release
     runs-on: ubuntu-latest
-    if: github.event_name == 'schedule'
+    if: |
+      github.event_name == 'schedule' &&
+      github.repository == 'podman-container-tools/podman'
     outputs:
       release_ref: ${{ steps.set.outputs.release_ref }}
     steps:
@@ -44,7 +46,9 @@ jobs:
   build-artifacts-main:
     name: Build Artifacts (main)
     uses: ./.github/workflows/build-artifacts.yml
-    if: github.event_name == 'schedule'
+    if: |
+      github.event_name == 'schedule' &&
+      github.repository == 'podman-container-tools/podman'
     with:
       version: 'main'
     secrets:
@@ -89,7 +93,9 @@ jobs:
   build-artifacts-single:
     name: Build Artifacts
     uses: ./.github/workflows/build-artifacts.yml
-    if: github.event_name == 'workflow_dispatch'
+    if: |
+      github.event_name == 'workflow_dispatch' &&
+      github.repository == 'podman-container-tools/podman'
     with:
       version: ${{ inputs.ref }}
     secrets:
@@ -110,6 +116,7 @@ jobs:
 
   validate-tokens:
     name: Validate GitHub tokens
+    if: github.repository == 'podman-container-tools/podman'
     runs-on: ubuntu-latest
     steps:
       - name: Validate PODMANBOT_TOKEN
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 20a6d7a42b3..ea6df03e12a 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -21,6 +21,7 @@ permissions:
 
 jobs:
   check:
+    if: github.repository == 'podman-container-tools/podman'
     name: Check
     runs-on: ubuntu-latest
     steps:
diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
index c2973929417..2a92526acd3 100644
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -12,7 +12,7 @@ permissions:
 
 jobs:
   stale:
-
+    if: github.repository == 'podman-container-tools/podman'
     permissions:
       issues: write  # for actions/stale to close stale issues
       pull-requests: write  # for actions/stale to close stale PRs
diff --git a/.github/workflows/update-podmanio.yml b/.github/workflows/update-podmanio.yml
index a93fb86fcb0..4034fa89682 100644
--- a/.github/workflows/update-podmanio.yml
+++ b/.github/workflows/update-podmanio.yml
@@ -22,6 +22,7 @@ permissions: {}
 
 jobs:
   bump:
+    if: github.repository == 'podman-container-tools/podman'
     name: Bump
     runs-on: ubuntu-24.04
     permissions: