ci: Run actions that need secrets.GITHUB_TOKEN only on rustic-rs org

Signed-off-by: simonsan <[email protected]>
rustic-rs · Nov 29, 2023 · 2d77a4b · 2d77a4b
1 parent e85d7a1
commit 2d77a4b
Show file tree

Hide file tree

Showing 6 changed files with 14 additions and 5 deletions.
diff --git a/.github/workflows/audit.yml b/.github/workflows/audit.yml
@@ -16,6 +16,8 @@ on:
 
 jobs:
   audit:
+    if: ${{ github.repository_owner == 'rustic-rs' }}
+    name: Run cargo audit
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
@@ -26,11 +28,12 @@ jobs:
         with:
           toolchain: stable
       - uses: Swatinem/rust-cache@a95ba195448af2da9b00fb742d14ffaaf3c21f43 # v2
-      - uses: actions-rs/audit-check@35b7b53b1e25b55642157ac01b4adceb5b9ebef3 # v1
+      - uses: rustsec/audit-check@4da312dd0f2a5e6b58fecaec5b19e7271ce2ec5d # v1.4.1
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
 
   cargo-deny:
+    if: ${{ github.repository_owner == 'rustic-rs' }}
     name: Run cargo-deny
     runs-on: ubuntu-latest
     steps:
@@ -41,6 +44,7 @@ jobs:
           command: check bans licenses sources
 
   result:
+    if: ${{ github.repository_owner == 'rustic-rs' }}
     name: Result (Audit)
     runs-on: ubuntu-latest
     needs:

diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml
@@ -17,9 +17,9 @@ env:
 
 jobs:
   publish:
+    if: ${{ github.repository_owner == 'rustic-rs' && github.ref == 'refs/heads/main' }}
     name: Publishing ${{ matrix.job.target }}
     runs-on: ${{ matrix.job.os }}
-    if: ${{ github.ref == 'refs/heads/main' }}
     strategy:
       fail-fast: false
       matrix:
@@ -113,9 +113,9 @@ jobs:
           use-project-version: false
 
   publish-nightly:
+    if: ${{ github.repository_owner == 'rustic-rs' && github.ref == 'refs/heads/main' }}
     name: Publishing nightly builds
     needs: publish
-    if: ${{ github.ref == 'refs/heads/main' }}
     runs-on: ubuntu-latest
     steps:
       - name: Download all workflow run artifacts

diff --git a/.github/workflows/prebuilt-pr.yml b/.github/workflows/prebuilt-pr.yml
@@ -15,9 +15,9 @@ env:
 
 jobs:
   pr-build:
+    if: ${{ github.event.label.name == 'S-build' && github.repository_owner == 'rustic-rs' }}
     name: Build PR on ${{ matrix.job.target }}
     runs-on: ${{ matrix.job.os }}
-    if: ${{ github.event.label.name == 'S-build' }}
     strategy:
       matrix:
         rust: [stable]
@@ -109,7 +109,8 @@ jobs:
     runs-on: ubuntu-latest
     if: |
       always() &&
-      ! contains(needs.*.result, 'skipped')
+      ! contains(needs.*.result, 'skipped') &&
+      github.repository_owner == 'rustic-rs'
     steps:
       - name: Remove label
         env:

diff --git a/.github/workflows/release-cd.yml b/.github/workflows/release-cd.yml
@@ -11,6 +11,7 @@ env:
 
 jobs:
   publish:
+    if: ${{ github.repository_owner == 'rustic-rs' }}
     name: Publishing ${{ matrix.job.target }}
     runs-on: ${{ matrix.job.os }}
     strategy:

diff --git a/.github/workflows/release-pr.yml b/.github/workflows/release-pr.yml
@@ -17,6 +17,7 @@ on:
 
 jobs:
   make-release-pr:
+    if: ${{ github.repository_owner == 'rustic-rs' }}
     permissions:
       id-token: write # Enable OIDC
       pull-requests: write

diff --git a/.github/workflows/triage.yml b/.github/workflows/triage.yml
@@ -5,6 +5,8 @@ on:
 
 jobs:
   label_issue:
+    if: ${{ github.repository_owner == 'rustic-rs' }}
+    name: Label issue
     runs-on: ubuntu-latest
     steps:
       - env: