From 270345853557d0f1883ccd0cf5f1f562cdf698dc Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Mon, 1 Jun 2026 17:36:26 +0200 Subject: [PATCH] ci: don't run membrowse workflows on forks Forks with Actions enabled would otherwise run the membrowse build matrix on push/workflow_dispatch and report fork builds to the membrowse backend. Guard the jobs in both workflows with github.repository_owner == 'wolfssl' (combined with the existing draft check in the report workflow), matching tls-anvil.yml and coverity-scan-fixes.yml. Also default the analyze/onboard matrix to '[]' so strategy expansion does not error when load-targets is skipped on forks or draft PRs. --- .github/workflows/membrowse-onboard.yml | 6 +++++- .github/workflows/membrowse-report.yml | 10 ++++++---- 2 files changed, 11 insertions(+), 5 deletions(-) diff --git a/.github/workflows/membrowse-onboard.yml b/.github/workflows/membrowse-onboard.yml index 503942b75f..805cf65a65 100644 --- a/.github/workflows/membrowse-onboard.yml +++ b/.github/workflows/membrowse-onboard.yml @@ -11,6 +11,9 @@ on: jobs: load-targets: + # Only run from the wolfssl org to avoid burning forks' CI minutes + # and reporting fork builds to the membrowse backend. + if: github.repository_owner == 'wolfssl' runs-on: ubuntu-24.04 timeout-minutes: 10 outputs: @@ -25,12 +28,13 @@ jobs: onboard: needs: load-targets + if: github.repository_owner == 'wolfssl' runs-on: ubuntu-24.04 timeout-minutes: 10 strategy: fail-fast: false matrix: - include: ${{ fromJson(needs.load-targets.outputs.matrix) }} + include: ${{ fromJson(needs.load-targets.outputs.matrix || '[]') }} steps: - name: Checkout repository diff --git a/.github/workflows/membrowse-report.yml b/.github/workflows/membrowse-report.yml index e517ce33dc..b97306d90d 100644 --- a/.github/workflows/membrowse-report.yml +++ b/.github/workflows/membrowse-report.yml @@ -13,7 +13,9 @@ concurrency: jobs: load-targets: - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false + # Only run from the wolfssl org to avoid burning forks' CI minutes + # and reporting fork builds to the membrowse backend. + if: github.repository_owner == 'wolfssl' && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) runs-on: ubuntu-24.04 timeout-minutes: 10 outputs: @@ -27,7 +29,7 @@ jobs: run: echo "matrix=$(jq -c '.' .github/membrowse-targets.json)" >> $GITHUB_OUTPUT check-changes: - if: github.event_name != 'pull_request' || github.event.pull_request.draft == false + if: github.repository_owner == 'wolfssl' && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) runs-on: ubuntu-24.04 timeout-minutes: 5 outputs: @@ -64,13 +66,13 @@ jobs: analyze: needs: [load-targets, check-changes] - if: github.event_name != 'pull_request' || needs.check-changes.outputs.needs_build == 'true' + if: github.repository_owner == 'wolfssl' && (github.event_name != 'pull_request' || needs.check-changes.outputs.needs_build == 'true') runs-on: ubuntu-24.04 timeout-minutes: 10 strategy: fail-fast: false matrix: - include: ${{ fromJson(needs.load-targets.outputs.matrix) }} + include: ${{ fromJson(needs.load-targets.outputs.matrix || '[]') }} steps: - name: Checkout repository