From 2d77a4b2715f18652ef151c8a289d4c65d2a57ac Mon Sep 17 00:00:00 2001 From: simonsan <14062932+simonsan@users.noreply.github.com> Date: Wed, 29 Nov 2023 12:37:09 +0100 Subject: [PATCH] ci: Run actions that need secrets.GITHUB_TOKEN only on rustic-rs org Signed-off-by: simonsan <14062932+simonsan@users.noreply.github.com> --- .github/workflows/audit.yml | 6 +++++- .github/workflows/nightly.yml | 4 ++-- .github/workflows/prebuilt-pr.yml | 5 +++-- .github/workflows/release-cd.yml | 1 + .github/workflows/release-pr.yml | 1 + .github/workflows/triage.yml | 2 ++ 6 files changed, 14 insertions(+), 5 deletions(-) diff --git a/.github/workflows/audit.yml b/.github/workflows/audit.yml index b9ceeed..b5408fd 100644 --- a/.github/workflows/audit.yml +++ b/.github/workflows/audit.yml @@ -16,6 +16,8 @@ on: jobs: audit: + if: ${{ github.repository_owner == 'rustic-rs' }} + name: Run cargo audit runs-on: ubuntu-latest steps: - name: Checkout repository @@ -26,11 +28,12 @@ jobs: with: toolchain: stable - uses: Swatinem/rust-cache@a95ba195448af2da9b00fb742d14ffaaf3c21f43 # v2 - - uses: actions-rs/audit-check@35b7b53b1e25b55642157ac01b4adceb5b9ebef3 # v1 + - uses: rustsec/audit-check@4da312dd0f2a5e6b58fecaec5b19e7271ce2ec5d # v1.4.1 with: token: ${{ secrets.GITHUB_TOKEN }} cargo-deny: + if: ${{ github.repository_owner == 'rustic-rs' }} name: Run cargo-deny runs-on: ubuntu-latest steps: @@ -41,6 +44,7 @@ jobs: command: check bans licenses sources result: + if: ${{ github.repository_owner == 'rustic-rs' }} name: Result (Audit) runs-on: ubuntu-latest needs: diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml index f957faa..b4482f9 100644 --- a/.github/workflows/nightly.yml +++ b/.github/workflows/nightly.yml @@ -17,9 +17,9 @@ env: jobs: publish: + if: ${{ github.repository_owner == 'rustic-rs' && github.ref == 'refs/heads/main' }} name: Publishing ${{ matrix.job.target }} runs-on: ${{ matrix.job.os }} - if: ${{ github.ref == 'refs/heads/main' }} strategy: fail-fast: false matrix: @@ -113,9 +113,9 @@ jobs: use-project-version: false publish-nightly: + if: ${{ github.repository_owner == 'rustic-rs' && github.ref == 'refs/heads/main' }} name: Publishing nightly builds needs: publish - if: ${{ github.ref == 'refs/heads/main' }} runs-on: ubuntu-latest steps: - name: Download all workflow run artifacts diff --git a/.github/workflows/prebuilt-pr.yml b/.github/workflows/prebuilt-pr.yml index 41a70ca..d63b59d 100644 --- a/.github/workflows/prebuilt-pr.yml +++ b/.github/workflows/prebuilt-pr.yml @@ -15,9 +15,9 @@ env: jobs: pr-build: + if: ${{ github.event.label.name == 'S-build' && github.repository_owner == 'rustic-rs' }} name: Build PR on ${{ matrix.job.target }} runs-on: ${{ matrix.job.os }} - if: ${{ github.event.label.name == 'S-build' }} strategy: matrix: rust: [stable] @@ -109,7 +109,8 @@ jobs: runs-on: ubuntu-latest if: | always() && - ! contains(needs.*.result, 'skipped') + ! contains(needs.*.result, 'skipped') && + github.repository_owner == 'rustic-rs' steps: - name: Remove label env: diff --git a/.github/workflows/release-cd.yml b/.github/workflows/release-cd.yml index 8df6052..b6b83ad 100644 --- a/.github/workflows/release-cd.yml +++ b/.github/workflows/release-cd.yml @@ -11,6 +11,7 @@ env: jobs: publish: + if: ${{ github.repository_owner == 'rustic-rs' }} name: Publishing ${{ matrix.job.target }} runs-on: ${{ matrix.job.os }} strategy: diff --git a/.github/workflows/release-pr.yml b/.github/workflows/release-pr.yml index bea468c..22bbd9e 100644 --- a/.github/workflows/release-pr.yml +++ b/.github/workflows/release-pr.yml @@ -17,6 +17,7 @@ on: jobs: make-release-pr: + if: ${{ github.repository_owner == 'rustic-rs' }} permissions: id-token: write # Enable OIDC pull-requests: write diff --git a/.github/workflows/triage.yml b/.github/workflows/triage.yml index bf17e7c..11b4855 100644 --- a/.github/workflows/triage.yml +++ b/.github/workflows/triage.yml @@ -5,6 +5,8 @@ on: jobs: label_issue: + if: ${{ github.repository_owner == 'rustic-rs' }} + name: Label issue runs-on: ubuntu-latest steps: - env: