Block fork pull request workflow jobs

[harjotgill]

Summary

• Skip GitHub Actions jobs for pull requests opened from forks.
• Keep push, merge queue, issue, and same-repository pull request behavior unchanged.

Why

Public fork pull requests can run attacker-controlled workflow code. Skipping those jobs prevents those pull requests from reaching repository secrets through GitHub Actions.

Validation

• Parsed the changed workflow files with yq e '.'.

Summary by CodeRabbit

• Chores
  • Optimized GitHub Actions workflows to improve build and deployment efficiency by adding repository validation checks for pull requests and push events.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 31cd9f0f-1cba-4063-bda7-fe10b83f2d93

📥 Commits

Reviewing files that changed from the base of the PR and between fea52a8 and 6d814d6.

📒 Files selected for processing (2)

• .github/workflows/changeset.yml
• .github/workflows/ci.yml

📜 Recent review details

🧰 Additional context used

🔀 Multi-repo context coderabbitai/bitbucket

::shell summary inspected workflows in coderabbitai/bitbucket::

Findings:

• .github/workflows/node.js.yaml — pull_request trigger present; job "test" runs pnpm test with many repository secrets injected into the job environment (BITBUCKET_* and SKIP_*). This means a pull request job that runs for a fork PR could expose or use secrets if the job runs. [::coderabbitai/bitbucket:: .github/workflows/node.js.yaml: lines ~1-200]

• .github/workflows/node.js.yaml — the "fix" job has an if: condition excluding merge_group and some actors but does not check whether the PR originates from the same repository (no check of github.event.pull_request.head.repo.full_name or github.event_name/head repo equality). [::coderabbitai/bitbucket:: .github/workflows/node.js.yaml: lines ~1-200]

• .github/workflows/github-pages.yaml and .github/workflows/pnpm-publish.yaml — these workflows run on push or tag events and already include actor-based guards (github.actor != 'nektos/act') but no fork-PR head-repo check (they are not triggered on pull_request). [::coderabbitai/bitbucket:: .github/workflows/github-pages.yaml, .github/workflows/pnpm-publish.yaml: lines ~1-200]

Conclusion: The repository contains a pull_request workflow that injects repository secrets into the job environment and currently lacks a head-repo equality guard — so the PR change (adding checks to skip fork PR jobs) is directly relevant and would reduce risk. [::coderabbitai/bitbucket:: .github/workflows/node.js.yaml]

🔇 Additional comments (2)

.github/workflows/ci.yml (1)

11-11: Fork PR guard is correctly scoped.

This condition preserves push and same-repo PR CI while skipping fork-origin PR jobs as intended.

.github/workflows/changeset.yml (1)

11-11: Security gate for pull_request_target looks good.

The job now correctly requires a same-repo PR and the dependencies label before execution.

---

📝 Walkthrough

Walkthrough

Two GitHub Actions workflows add conditional guards to prevent job execution from cross-repository pull requests and unnecessary triggers. The renovate job now checks PR existence and head repository before evaluating the dependencies label. The CI build job restricts execution to direct pushes or same-repository pull requests.

Changes

Workflow Job Execution Conditions

Layer / File(s)	Summary
Job execution conditions for security and efficiency .github/workflows/changeset.yml, .github/workflows/ci.yml	The renovate job gates on PR existence, head repo match, and the dependencies label. The build job gates on direct push or same-repository PR origin, preventing cross-repo PR execution.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

Poem

A rabbit in workflows so bright,
Guards gates with conditions just right,
Cross-repo PRs now stay,
While trusted ones play,
Secured jobs that run safe through the night! 🐇✨

🚥 Pre-merge checks | ✅ 4

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Block fork pull request workflow jobs' clearly and accurately describes the main objective of the pull request: adding conditions to GitHub Actions workflows to block execution for pull requests from forks.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch coderabbit/actions-lockdown-external-prs

✨ Simplify code

• Create PR with simplified code
• Commit simplified code in branch coderabbit/actions-lockdown-external-prs

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}