From 0d5dbde4d34462e0ee5178363bbd0037cb47dd28 Mon Sep 17 00:00:00 2001 From: Daniel Widdis Date: Mon, 14 Aug 2023 13:20:50 -0700 Subject: [PATCH] Restrict GitHub Actions to run only on OpenSearch repo (#9284) * Restrict GitHub Actions to run only on OpenSearch repo Signed-off-by: Daniel Widdis * Revert changes unlikely to run on forks Signed-off-by: Daniel Widdis --------- Signed-off-by: Daniel Widdis --- .github/workflows/add-untriaged.yml | 1 + .github/workflows/changelog_verifier.yml | 1 + .github/workflows/check-compatibility.yml | 1 + .github/workflows/gradle-check.yml | 1 + .github/workflows/lucene-snapshots.yml | 1 + .github/workflows/precommit.yml | 1 + .github/workflows/publish-maven-snapshots.yml | 1 + .github/workflows/stalled.yml | 1 + .github/workflows/version.yml | 1 + .github/workflows/wrapper.yml | 1 + 10 files changed, 10 insertions(+) diff --git a/.github/workflows/add-untriaged.yml b/.github/workflows/add-untriaged.yml index 15b9a55651254..11db8b9a61f50 100644 --- a/.github/workflows/add-untriaged.yml +++ b/.github/workflows/add-untriaged.yml @@ -6,6 +6,7 @@ on: jobs: apply-label: + if: github.repository == 'opensearch-project/OpenSearch' runs-on: ubuntu-latest steps: - uses: actions/github-script@v6 diff --git a/.github/workflows/changelog_verifier.yml b/.github/workflows/changelog_verifier.yml index 992a38b624d7a..8060ea93f477a 100644 --- a/.github/workflows/changelog_verifier.yml +++ b/.github/workflows/changelog_verifier.yml @@ -6,6 +6,7 @@ on: jobs: # Enforces the update of a changelog file on every pull request verify-changelog: + if: github.repository == 'opensearch-project/OpenSearch' runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 diff --git a/.github/workflows/check-compatibility.yml b/.github/workflows/check-compatibility.yml index b208fe38a581f..9c3161686501f 100644 --- a/.github/workflows/check-compatibility.yml +++ b/.github/workflows/check-compatibility.yml @@ -6,6 +6,7 @@ on: jobs: build: + if: github.repository == 'opensearch-project/OpenSearch' runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 diff --git a/.github/workflows/gradle-check.yml b/.github/workflows/gradle-check.yml index f895dfc2c1f4d..b86962a5ebb49 100644 --- a/.github/workflows/gradle-check.yml +++ b/.github/workflows/gradle-check.yml @@ -13,6 +13,7 @@ permissions: jobs: gradle-check: + if: github.repository == 'opensearch-project/OpenSearch' permissions: contents: read # to fetch code (actions/checkout) pull-requests: write # to create or update comment (peter-evans/create-or-update-comment) diff --git a/.github/workflows/lucene-snapshots.yml b/.github/workflows/lucene-snapshots.yml index c67219d2a3437..2ef476c190ed8 100644 --- a/.github/workflows/lucene-snapshots.yml +++ b/.github/workflows/lucene-snapshots.yml @@ -13,6 +13,7 @@ on: jobs: publish-snapshots: + if: github.repository == 'opensearch-project/OpenSearch' runs-on: ubuntu-latest # These permissions are needed to interact with GitHub's OIDC Token endpoint. permissions: diff --git a/.github/workflows/precommit.yml b/.github/workflows/precommit.yml index 733018400e135..fdb1d7d4262e4 100644 --- a/.github/workflows/precommit.yml +++ b/.github/workflows/precommit.yml @@ -3,6 +3,7 @@ on: [pull_request] jobs: precommit: + if: github.repository == 'opensearch-project/OpenSearch' runs-on: ${{ matrix.os }} strategy: matrix: diff --git a/.github/workflows/publish-maven-snapshots.yml b/.github/workflows/publish-maven-snapshots.yml index 3891ac82e1a1a..43c18af78ae4c 100644 --- a/.github/workflows/publish-maven-snapshots.yml +++ b/.github/workflows/publish-maven-snapshots.yml @@ -10,6 +10,7 @@ on: jobs: build-and-publish-snapshots: + if: github.repository == 'opensearch-project/OpenSearch' runs-on: ubuntu-latest permissions: diff --git a/.github/workflows/stalled.yml b/.github/workflows/stalled.yml index 0d03049a2e23c..bc0a98fff511e 100644 --- a/.github/workflows/stalled.yml +++ b/.github/workflows/stalled.yml @@ -6,6 +6,7 @@ permissions: pull-requests: write jobs: stale: + if: github.repository == 'opensearch-project/OpenSearch' runs-on: ubuntu-latest steps: - name: GitHub App token diff --git a/.github/workflows/version.yml b/.github/workflows/version.yml index 764a365e7411c..ad79a425557bb 100644 --- a/.github/workflows/version.yml +++ b/.github/workflows/version.yml @@ -8,6 +8,7 @@ on: permissions: {} jobs: build: + if: github.repository == 'opensearch-project/OpenSearch' runs-on: ubuntu-latest steps: - name: GitHub App token diff --git a/.github/workflows/wrapper.yml b/.github/workflows/wrapper.yml index c3e0aae98cde2..80acaa906711b 100644 --- a/.github/workflows/wrapper.yml +++ b/.github/workflows/wrapper.yml @@ -4,6 +4,7 @@ on: [pull_request] jobs: validate: name: Validate + if: github.repository == 'opensearch-project/OpenSearch' runs-on: ubuntu-latest steps: - uses: actions/checkout@v2