Block fork pull request workflow jobs

[harjotgill]

Summary

• Skip GitHub Actions jobs for pull requests opened from forks.
• Keep push, merge queue, issue, and same-repository pull request behavior unchanged.

Why

Public fork pull requests can run attacker-controlled workflow code. Skipping those jobs prevents those pull requests from reaching repository secrets through GitHub Actions.

Validation

• Parsed the changed workflow files with yq e '.'.

Summary by CodeRabbit

• Chores
  • Improved CI/CD pipeline efficiency by adding conditional logic to prevent unnecessary workflow runs in specific scenarios, reducing resource consumption and accelerating feedback cycles for development processes.

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR adds job-level conditional guards to GitHub workflow files to restrict execution of build and validation jobs to same-repository PRs and non-PR events, preventing untrusted external pull requests from triggering these jobs.

Changes

Workflow PR Origin Validation

Layer / File(s)	Summary
Build workflow job execution guards .github/workflows/build.yml	The job_build, job_lint, and job_test jobs each receive an if condition that skips execution for external-origin PRs while allowing same-repository PRs and non-PR events.
PR validation workflow job execution guard .github/workflows/pr-conventional-commit.yml	The validate-pr-title job receives an if condition that checks for pull request context and verifies the PR head repository matches the current repository before running.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

🐰 A rabbit guards the workflow gate,
Checking origins—no external fate!
Same-repo PRs and events flow free,
While forks stay out—secure and clean! ✨

🚥 Pre-merge checks | ✅ 4

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Block fork pull request workflow jobs' accurately describes the main change: conditionally skipping workflow jobs for pull requests from forks to prevent unauthorized access to secrets.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch coderabbit/actions-lockdown-external-prs

✨ Simplify code

• Create PR with simplified code
• Commit simplified code in branch coderabbit/actions-lockdown-external-prs

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

.github/workflows/build.yml (1)

11-11: Consider adding a “safe fork PR” workflow for basic feedback.

Non-blocking suggestion: if you still want CI signal on fork PRs, add a separate workflow with minimal permissions, no secrets, and only safe read-only checks.

Also applies to: 40-40, 62-62

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/build.yml at line 11, The current workflow uses the
condition "if: ${{ github.event.pull_request == null ||
github.event.pull_request.head.repo.full_name == github.repository }}" which
prevents running on forked PRs; add a second minimal “safe fork PR” workflow
that runs on pull_request events from forks, sets only read-only permissions,
does not reference secrets, and contains only safe checks (linting, unit tests
that don’t require secrets, dependency scanning) so maintainers get basic CI
feedback; also replicate this change for the other occurrences of the same
conditional present in the file so all CI paths have a safe-fork counterpart.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In @.github/workflows/build.yml:
- Line 11: The current workflow uses the condition "if: ${{
github.event.pull_request == null ||
github.event.pull_request.head.repo.full_name == github.repository }}" which
prevents running on forked PRs; add a second minimal “safe fork PR” workflow
that runs on pull_request events from forks, sets only read-only permissions,
does not reference secrets, and contains only safe checks (linting, unit tests
that don’t require secrets, dependency scanning) so maintainers get basic CI
feedback; also replicate this change for the other occurrences of the same
conditional present in the file so all CI paths have a safe-fork counterpart.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: c041b35f-10b3-464b-a263-a89a659e9125

📥 Commits

Reviewing files that changed from the base of the PR and between eeb2434 and 26b56f1.

📒 Files selected for processing (2)

• .github/workflows/build.yml
• .github/workflows/pr-conventional-commit.yml

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: Node (22) Unit Tests
• GitHub Check: Node (18) Unit Tests
• GitHub Check: Lint

🔇 Additional comments (2)

.github/workflows/pr-conventional-commit.yml (1)

9-9: Fork-PR gating is correctly enforced for this job.

This condition cleanly blocks external-fork PR execution while preserving intended same-repo PR behavior.

.github/workflows/build.yml (1)

11-11: Conditional guards are consistent and correctly scoped across all three jobs.

The new if checks implement the intended lockdown (skip fork PRs, keep push/same-repo PR paths intact).

Also applies to: 40-40, 62-62