ci: limit CI from fork to jobs that don’t depend en secrets

2024-07-16 17:01:30 +02:00 · 2024-07-16 17:01:30 +02:00 · 59da52854a
parent e9350ba38e
commit 59da52854a
3 changed files with 9 additions and 7 deletions
--- a/.github/workflows/add-a11y-checklist.yaml
+++ b/.github/workflows/add-a11y-checklist.yaml
@ -25,7 +25,7 @@ jobs:
          comment-author: 'github-actions[bot]'
          body-includes: accessibilité
      - name: Create comment
-        if: steps.changed-files-specific.outputs.any_changed == 'true' && steps.find-comment.outputs.comment-id == ''
+        if: github.event.pull_request.head.repo.full_name == github.repository && steps.changed-files-specific.outputs.any_changed == 'true' && steps.find-comment.outputs.comment-id == ''
        uses: peter-evans/create-or-update-comment@v3
        with:
          issue-number: ${{ github.event.pull_request.number }}
--- a/.github/workflows/deploy.yaml
+++ b/.github/workflows/deploy.yaml
@ -18,6 +18,7 @@ on:

 jobs:
  deploy-context:
+    if: github.event.pull_request.head.repo.full_name == github.repository
    runs-on: ubuntu-22.04
    outputs:
      env-name: ${{ steps.deploy-env.outputs.name }}
@ -37,6 +38,7 @@ jobs:

  build:
    needs: deploy-context
+    if: github.event.pull_request.head.repo.full_name == github.repository
    env:
      API_BASE_URL: ${{ needs.deploy-context.outputs.api_url }}
      SERVER_BASE_URL: ${{ needs.deploy-context.outputs.server_url }}
@ -138,7 +140,7 @@ jobs:
  deploy-preview:
    needs: [build, build-storybook, deploy-context]
    runs-on: ubuntu-22.04
-    if: needs.deploy-context.outputs.env-name != 'master'
+    if: github.event.pull_request.head.repo.full_name == github.repository && needs.deploy-context.outputs.env-name != 'master'
    strategy:
      matrix:
        site: ['', 'en']
@ -175,7 +177,7 @@ jobs:
  deploy-prod:
    needs: [build, build-storybook, deploy-context]
    runs-on: ubuntu-22.04
-    if: needs.deploy-context.outputs.env-name == 'master'
+    if: github.event.pull_request.head.repo.full_name == github.repository && needs.deploy-context.outputs.env-name == 'master'
    steps:
      - uses: actions/checkout@v3
      - uses: actions/download-artifact@v3
@ -204,7 +206,7 @@ jobs:

  post-comment:
    runs-on: ubuntu-22.04
-    if: github.event_name == 'pull_request'
+    if: github.event.pull_request.head.repo.full_name == github.repository && github.event_name == 'pull_request'
    needs: [deploy-preview, deploy-context]
    steps:
      - name: Find Comment
@ -235,7 +237,7 @@ jobs:
    runs-on: ubuntu-22.04
    container: cypress/browsers:latest
    # We need to specify always() https://github.com/actions/runner/issues/491
-    if: always() && needs.deploy-preview.result == 'success'
+    if: always() && github.event.pull_request.head.repo.full_name == github.repository && needs.deploy-preview.result == 'success'
    needs: [deploy-context, deploy-preview]

    strategy:
@ -306,7 +308,7 @@ jobs:
    runs-on: ubuntu-22.04
    container: cypress/browsers:latest
    # We need to specify always() https://github.com/actions/runner/issues/491
-    if: always() && needs.deploy-prod.result == 'success'
+    if: always() && github.event.pull_request.head.repo.full_name == github.repository && needs.deploy-prod.result == 'success'
    needs: [deploy-context, deploy-prod]

    strategy:
--- a/.github/workflows/test.yaml
+++ b/.github/workflows/test.yaml
@ -1,5 +1,5 @@
 name: Tests
-on: push
+on: ['push', 'pull_request']

 jobs:
  lint: