Skip to content

Commit 9bab549

Browse files
committed
spike: gate secret-dependent workflows for fork PRs
1 parent 7fa8698 commit 9bab549

3 files changed

Lines changed: 12 additions & 3 deletions

File tree

.github/workflows/build-test-push-workflow.yml

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -50,6 +50,7 @@ jobs:
5050
with:
5151
go-version: ${{ steps.dotenv.outputs.GO_VERSION }}
5252
- name: Install goveralls
53+
if: ${{ (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) && secrets.COVERALLS_TOKEN != '' }}
5354
run: |
5455
go version
5556
go install github.com/mattn/goveralls@latest
@@ -61,14 +62,15 @@ jobs:
6162
run: |
6263
make test
6364
- name: Run Code Coverage
64-
if: ${{ secrets.COVERALLS_TOKEN != '' }}
65+
if: ${{ (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) && secrets.COVERALLS_TOKEN != '' }}
6566
run: goveralls -shallow -coverprofile=coverage.out -service=circle-ci -repotoken ${{ secrets.COVERALLS_TOKEN }}
6667
- name: Upload Coverage artifacts
6768
uses: actions/upload-artifact@v4.4.0
6869
with:
6970
name: coverage.out
7071
path: coverage.out
7172
build-operator-image:
73+
if: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository }}
7274
runs-on: ubuntu-latest
7375
needs: [check-formating, unit-tests]
7476
env:
@@ -121,6 +123,7 @@ jobs:
121123
COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
122124
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
123125
vulnerability-scan:
126+
if: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository }}
124127
permissions:
125128
actions: read
126129
contents: read
@@ -175,6 +178,7 @@ jobs:
175178
with:
176179
sarif_file: 'trivy-results.sarif'
177180
smoke-tests:
181+
if: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository }}
178182
needs: vulnerability-scan
179183
strategy:
180184
fail-fast: false

.github/workflows/distroless-build-test-push-workflow.yml

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -45,6 +45,7 @@ jobs:
4545
with:
4646
go-version: ${{ steps.dotenv.outputs.GO_VERSION }}
4747
- name: Install goveralls
48+
if: ${{ (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) && secrets.COVERALLS_TOKEN != '' }}
4849
run: |
4950
go version
5051
go install github.com/mattn/goveralls@latest
@@ -55,14 +56,15 @@ jobs:
5556
- name: Run Unit Tests
5657
run: make test
5758
- name: Run Code Coverage
58-
if: ${{ secrets.COVERALLS_TOKEN != '' }}
59+
if: ${{ (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) && secrets.COVERALLS_TOKEN != '' }}
5960
run: goveralls -shallow -coverprofile=coverage.out -service=circle-ci -repotoken ${{ secrets.COVERALLS_TOKEN }}
6061
- name: Upload Coverage artifacts
6162
uses: actions/upload-artifact@v4.4.0
6263
with:
6364
name: coverage.out
6465
path: coverage.out
6566
build-operator-image:
67+
if: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository }}
6668
runs-on: ubuntu-latest
6769
needs: unit-tests
6870
env:
@@ -170,6 +172,7 @@ jobs:
170172
# with:
171173
# sarif_file: 'trivy-results.sarif'
172174
smoke-tests:
175+
if: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository }}
173176
needs: build-operator-image
174177
strategy:
175178
fail-fast: false

.github/workflows/prodsec-workflow.yml

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -17,6 +17,7 @@ on:
1717
- '*.md'
1818
jobs:
1919
semgrep:
20+
if: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository }}
2021
name: Semgrep Scanner
2122
runs-on: ubuntu-24.04
2223
env:
@@ -27,6 +28,7 @@ jobs:
2728
- uses: actions/checkout@v3
2829
- run: semgrep ci
2930
FOSSA-scanner:
31+
if: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository }}
3032
runs-on: ubuntu-latest
3133
env:
3234
SPLUNK_ENTERPRISE_IMAGE: ${{ secrets.SPLUNK_ENTERPRISE_IMAGE }}
@@ -42,4 +44,4 @@ jobs:
4244
if: ${{ secrets.FOSSA_API_TOKEN != '' }}
4345
uses: fossas/fossa-action@main
4446
with:
45-
api-key: ${{secrets.FOSSA_API_TOKEN}}
47+
api-key: ${{secrets.FOSSA_API_TOKEN}}

0 commit comments

Comments
 (0)