From 9397769d6cc847d05b1eb1ea2c65657e39ec4bee Mon Sep 17 00:00:00 2001
From: Karl Rister <krister@redhat.com>
Date: Wed, 15 Apr 2026 09:54:53 -0500
Subject: [PATCH] feat: block fork PRs and skip CI for fork-originated pull
 requests

Add fork-check.yaml workflow that automatically comments and closes
PRs opened from forks. Add fork guard to all PR-triggered CI workflows.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .github/workflows/crucible-ci.yaml |  5 +++--
 .github/workflows/fork-check.yaml  | 27 +++++++++++++++++++++++++++
 .github/workflows/workshop-ci.yaml |  7 ++++---
 3 files changed, 34 insertions(+), 5 deletions(-)
 create mode 100644 .github/workflows/fork-check.yaml

diff --git a/.github/workflows/crucible-ci.yaml b/.github/workflows/crucible-ci.yaml
index 9474b7d..37ff474 100644
--- a/.github/workflows/crucible-ci.yaml
+++ b/.github/workflows/crucible-ci.yaml
@@ -28,6 +28,7 @@ jobs:
           .github/workflows/run-crucible-tracking.yaml
           .github/workflows/crucible-merged.yaml
           .github/workflows/crucible-ci.yaml
+            .github/workflows/fork-check.yaml
           .github/workflows/controller-build.yaml
           .github/workflows/workshop-ci.yaml
           docs/**
@@ -36,7 +37,7 @@ jobs:
 
   call-real-core-release-crucible-ci:
     needs: changes
-    if: ${{ github.event_name == 'workflow_dispatch' || needs.changes.outputs.only-docs != 'true' }}
+    if: ${{ github.event.pull_request.head.repo.fork != true && (github.event_name == 'workflow_dispatch' || needs.changes.outputs.only-docs != 'true') }}
     uses: perftool-incubator/crucible-ci/.github/workflows/core-release-crucible-ci.yaml@main
     with:
       ci_target: "workshop"
@@ -48,7 +49,7 @@ jobs:
 
   call-faux-core-release-crucible-ci:
     needs: changes
-    if: ${{ github.event_name != 'workflow_dispatch' && needs.changes.outputs.only-docs == 'true' }}
+    if: ${{ github.event.pull_request.head.repo.fork != true && github.event_name != 'workflow_dispatch' && needs.changes.outputs.only-docs == 'true' }}
     uses: perftool-incubator/crucible-ci/.github/workflows/faux-core-release-crucible-ci.yaml@main
 
   crucible-ci-complete:
diff --git a/.github/workflows/fork-check.yaml b/.github/workflows/fork-check.yaml
new file mode 100644
index 0000000..2934d35
--- /dev/null
+++ b/.github/workflows/fork-check.yaml
@@ -0,0 +1,27 @@
+name: fork-check
+
+on:
+  pull_request_target:
+    types: [opened, reopened]
+
+jobs:
+  block-fork-pr:
+    if: github.event.pull_request.head.repo.fork == true
+    runs-on: ubuntu-latest
+    steps:
+      - name: Comment and close fork PR
+        uses: actions/github-script@v7
+        with:
+          script: |
+            await github.rest.issues.createComment({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: context.issue.number,
+              body: 'This PR was opened from a fork. PRs must be opened from branches on the upstream repository so that CI workflows have access to required secrets and variables.\n\nPlease push your branch to this repository and open a new PR.\n\nClosing this PR automatically.'
+            });
+            await github.rest.pulls.update({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              pull_number: context.issue.number,
+              state: 'closed'
+            });
diff --git a/.github/workflows/workshop-ci.yaml b/.github/workflows/workshop-ci.yaml
index fca7bbf..af0091c 100644
--- a/.github/workflows/workshop-ci.yaml
+++ b/.github/workflows/workshop-ci.yaml
@@ -30,6 +30,7 @@ jobs:
           .github/rulesets/**
           .github/workflows/run-crucible-tracking.yaml
           .github/workflows/crucible-ci.yaml
+            .github/workflows/fork-check.yaml
           .github/workflows/controller-build.yaml
           .github/workflows/workshop-ci.yaml
           docs/**
@@ -38,7 +39,7 @@ jobs:
 
   workshop-pl:
     needs: changes
-    if: ${{ github.event_name == 'workflow_dispatch' || needs.changes.outputs.only-docs != 'true' }}
+    if: ${{ github.event.pull_request.head.repo.fork != true && (github.event_name == 'workflow_dispatch' || needs.changes.outputs.only-docs != 'true') }}
     runs-on: [ self-hosted, aws-cloud-1 ]
 
     steps:
@@ -94,7 +95,7 @@ jobs:
 
   workshop-py:
     needs: changes
-    if: ${{ github.event_name == 'workflow_dispatch' || needs.changes.outputs.only-docs != 'true' }}
+    if: ${{ github.event.pull_request.head.repo.fork != true && (github.event_name == 'workflow_dispatch' || needs.changes.outputs.only-docs != 'true') }}
     runs-on: [ self-hosted, aws-cloud-1 ]
 
     steps:
@@ -151,7 +152,7 @@ jobs:
 
   faux-workshop-ci:
     needs: changes
-    if: ${{ github.event_name != 'workflow_dispatch' && needs.changes.outputs.only-docs == 'true' }}
+    if: ${{ github.event.pull_request.head.repo.fork != true && github.event_name != 'workflow_dispatch' && needs.changes.outputs.only-docs == 'true' }}
     runs-on: ubuntu-latest
     steps:
     - run: echo "faux-workshop-ci complete"