Skip to content

fix(ci): prevent workflows from running on forks#13216

Open
Jason-Shen2 wants to merge 1 commit into
warpdotdev:masterfrom
Jason-Shen2:fix/ci-disable-forks
Open

fix(ci): prevent workflows from running on forks#13216
Jason-Shen2 wants to merge 1 commit into
warpdotdev:masterfrom
Jason-Shen2:fix/ci-disable-forks

Conversation

@Jason-Shen2

@Jason-Shen2 Jason-Shen2 commented Jun 30, 2026

Copy link
Copy Markdown

Summary

Add a top-level job-level condition github.repository == 'warpdotdev/warp' to all workflows that use self-hosted runners, secrets, or internal reusable workflows, preventing them from failing when triggered on fork repositories.

Changes

Workflows gated (14 files):

  • ci.yml - added condition to the params entry job (all other jobs depend on it and are skipped transitively)
  • sync-pr-checks.yml, check_approvals.yml, repo-sync.yml, close_stale_fix_prs.yml, warp_cleanup_fix_prs.yml - pull-request triggered maintenance workflows
  • populate_build_cache.yml - push/schedule triggered cache workflow
  • cut_new_releases.yml, feature_flag_cleanup.yml - release/maintenance workflows
  • update-dedupe-local.yml, update-triage-local.yml, update-pr-review-local.yml - scheduled triage workflows
  • label_external_contributors.yml - contributor labeling
  • stale_requested_changes_prs.yml - stale PR management

Workflows left unchanged (already safe via only workflow_dispatch/workflow_call triggers):

  • changelog_draft.yml, cut_new_release_candidate.yml, create_release.yml, delete_release.yml, docubot_reply_to_comment.yml

Fixes #12396

@Jason-Shen2
fix(ci): prevent workflows from running on forks (warpdotdev#12396)
2d93665 
Add a top-level job condition github.repository == 'warpdotdev/warp' to workflows
that reference self-hosted runners, secrets, or internal reusable workflows which
are not available on fork repositories. This prevents failing workflow runs on forks.

Fixes warpdotdev#12396
@cla-bot cla-bot Bot added the cla-signed label Jun 30, 2026
@github-actions github-actions Bot added the external-contributor Indicates that a PR has been opened by someone outside the Warp team. label Jun 30, 2026
@oz-for-oss

oz-for-oss Bot commented Jun 30, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

@Jason-Shen2

I'm starting a first review of this pull request.

You can view the conversation on Warp.

I reviewed this pull request and requested human review from: @coolcom200.

Comment /oz-review on this pull request to retrigger a review (up to 3 times on the same pull request).

Powered by Oz

oz-for-oss[bot]
oz-for-oss Bot reviewed Jun 30, 2026
View reviewed changes

@oz-for-oss oz-for-oss Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overview

This PR adds repository guards to GitHub Actions workflows that use self-hosted runners, inherited secrets, write permissions, or internal reusable workflows so those jobs are skipped when the workflow definition is running from a forked repository.

Concerns

No blocking concerns found. The attached spec context does not include an approved spec to validate against, and the workflow changes do not introduce security concerns.

Verdict

Found: 0 critical, 0 important, 0 suggestions

Approve

Comment /oz-review on this pull request to retrigger a review (up to 3 times on the same pull request).

Powered by Oz

@oz-for-oss oz-for-oss Bot requested a review from coolcom200 June 30, 2026 06:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@oz-for-oss oz-for-oss[bot] oz-for-oss[bot] left review comments
@coolcom200 coolcom200 Awaiting requested review from coolcom200

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

cla-signed external-contributor Indicates that a PR has been opened by someone outside the Warp team.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

GitHub Actions should not run on forks

1 participant

@Jason-Shen2