From 02d7901041ccd017954393206d8b5d9be7db93fd Mon Sep 17 00:00:00 2001 From: Karl Rister Date: Wed, 15 Apr 2026 09:55:11 -0500 Subject: [PATCH] feat: block fork PRs and skip CI for fork-originated pull requests Add fork-check.yaml workflow that automatically comments and closes PRs opened from forks. Add fork guard to all PR-triggered CI workflows. Co-Authored-By: Claude Opus 4.6 (1M context) --- .github/workflows/crucible-ci.yaml | 5 +++-- .github/workflows/fork-check.yaml | 27 +++++++++++++++++++++++++++ .github/workflows/unittest.yaml | 5 +++-- 3 files changed, 33 insertions(+), 4 deletions(-) create mode 100644 .github/workflows/fork-check.yaml diff --git a/.github/workflows/crucible-ci.yaml b/.github/workflows/crucible-ci.yaml index 570d11f..48272d8 100644 --- a/.github/workflows/crucible-ci.yaml +++ b/.github/workflows/crucible-ci.yaml @@ -26,6 +26,7 @@ jobs: .github/rulesets/** .github/workflows/run-crucible-tracking.yaml .github/workflows/crucible-ci.yaml + .github/workflows/fork-check.yaml .github/workflows/controller-build.yaml .github/workflows/unittest.yaml docs/** @@ -34,7 +35,7 @@ jobs: call-real-core-release-crucible-ci: needs: changes - if: ${{ github.event_name == 'workflow_dispatch' || needs.changes.outputs.only-docs != 'true' }} + if: ${{ github.event.pull_request.head.repo.fork != true && (github.event_name == 'workflow_dispatch' || needs.changes.outputs.only-docs != 'true') }} uses: perftool-incubator/crucible-ci/.github/workflows/core-release-crucible-ci.yaml@main with: ci_target: "multiplex" @@ -47,7 +48,7 @@ jobs: call-faux-core-release-crucible-ci: needs: changes - if: ${{ github.event_name != 'workflow_dispatch' && needs.changes.outputs.only-docs == 'true' }} + if: ${{ github.event.pull_request.head.repo.fork != true && github.event_name != 'workflow_dispatch' && needs.changes.outputs.only-docs == 'true' }} uses: perftool-incubator/crucible-ci/.github/workflows/faux-core-release-crucible-ci.yaml@main crucible-ci-complete: diff --git a/.github/workflows/fork-check.yaml b/.github/workflows/fork-check.yaml new file mode 100644 index 0000000..2934d35 --- /dev/null +++ b/.github/workflows/fork-check.yaml @@ -0,0 +1,27 @@ +name: fork-check + +on: + pull_request_target: + types: [opened, reopened] + +jobs: + block-fork-pr: + if: github.event.pull_request.head.repo.fork == true + runs-on: ubuntu-latest + steps: + - name: Comment and close fork PR + uses: actions/github-script@v7 + with: + script: | + await github.rest.issues.createComment({ + owner: context.repo.owner, + repo: context.repo.repo, + issue_number: context.issue.number, + body: 'This PR was opened from a fork. PRs must be opened from branches on the upstream repository so that CI workflows have access to required secrets and variables.\n\nPlease push your branch to this repository and open a new PR.\n\nClosing this PR automatically.' + }); + await github.rest.pulls.update({ + owner: context.repo.owner, + repo: context.repo.repo, + pull_number: context.issue.number, + state: 'closed' + }); diff --git a/.github/workflows/unittest.yaml b/.github/workflows/unittest.yaml index 9bde430..e992bd8 100644 --- a/.github/workflows/unittest.yaml +++ b/.github/workflows/unittest.yaml @@ -26,6 +26,7 @@ jobs: .github/rulesets/** .github/workflows/run-crucible-tracking.yaml .github/workflows/crucible-ci.yaml + .github/workflows/fork-check.yaml .github/workflows/controller-build.yaml .github/workflows/unittest.yaml docs/** @@ -35,7 +36,7 @@ jobs: multiplex-unittests: runs-on: ubuntu-latest needs: changes - if: ${{ github.event_name == 'workflow_dispatch' || needs.changes.outputs.only-docs != 'true' }} + if: ${{ github.event.pull_request.head.repo.fork != true && (github.event_name == 'workflow_dispatch' || needs.changes.outputs.only-docs != 'true') }} steps: - uses: actions/checkout@v4 @@ -59,7 +60,7 @@ jobs: faux-unittest: runs-on: ubuntu-latest needs: changes - if: ${{ github.event_name != 'workflow_dispatch' && needs.changes.outputs.only-docs == 'true' }} + if: ${{ github.event.pull_request.head.repo.fork != true && github.event_name != 'workflow_dispatch' && needs.changes.outputs.only-docs == 'true' }} steps: - run: echo "faux-unittest-complete"