From 32f987fc8c1b51655d76f6099fe9703a5da9f4ee Mon Sep 17 00:00:00 2001 From: Byounguk Lee Date: Mon, 25 May 2026 11:20:54 +0000 Subject: [PATCH] ci: restrict specific workflows to the upstream repository Many GitHub Actions workflows currently trigger on user forks, leading to unnecessary CI resource consumption, unwanted bot behavior, and inevitable failures. This commit restricts these specific workflows to only run on the primary `containers/podman` repository. The restricted workflows fall into two main categories: 1. Require Custom Upstream Secrets: Workflows like `release`, `mac-pkg`, `cherry-pick`, and `dev-bump` rely on secrets (e.g., Apple/Azure certs, PODMANBOT_TOKEN, ACTION_MAIL_*) that are unavailable in forks. 2. Manage Upstream Tracker State: Workflows like `assign`, `stale`, and `labeler` are intended strictly for managing the primary project's issues and PRs. Running them on personal forks creates unwanted noise. Additionally, refactored several complex `if` conditions using YAML multi-line strings (`|`) to maintain and improve readability. Signed-off-by: Byounguk Lee --- .github/workflows/assign.yml | 5 ++++- .github/workflows/cherry-pick.yml | 6 ++++-- .github/workflows/ci.yml | 6 ++++++ .github/workflows/dev-bump.yml | 1 + .github/workflows/first_contrib_cert_generator.yml | 7 ++++++- .github/workflows/issue-labeler.yml | 1 + .github/workflows/issue_pr_lock.yml | 1 + .github/workflows/labeler.yml | 1 + .github/workflows/machine-os-pr.yml | 1 + .github/workflows/needs-info-labeler.yaml | 4 +++- .github/workflows/release-build-artifacts.yml | 2 ++ .github/workflows/release-pipeline-validation.yml | 13 ++++++++++--- .github/workflows/release.yml | 1 + .github/workflows/stale.yml | 2 +- .github/workflows/update-podmanio.yml | 1 + 15 files changed, 43 insertions(+), 9 deletions(-) diff --git a/.github/workflows/assign.yml b/.github/workflows/assign.yml index 3ed6bf4fba..ac24417653 100644 --- a/.github/workflows/assign.yml +++ b/.github/workflows/assign.yml @@ -7,7 +7,10 @@ on: jobs: assign: # Only run on issue comments (not PR comments) - if: "!github.event.issue.pull_request && contains(github.event.comment.body, '/assign')" + if: | + !github.event.issue.pull_request && + contains(github.event.comment.body, '/assign') && + github.repository == 'podman-container-tools/podman' runs-on: ubuntu-latest permissions: issues: write diff --git a/.github/workflows/cherry-pick.yml b/.github/workflows/cherry-pick.yml index 3460f3d2f7..c31a2eed87 100644 --- a/.github/workflows/cherry-pick.yml +++ b/.github/workflows/cherry-pick.yml @@ -11,7 +11,8 @@ jobs: if: | github.event_name == 'issue_comment' && github.event.issue.pull_request && - contains(github.event.comment.body, '/cherry-pick ') + contains(github.event.comment.body, '/cherry-pick ') && + github.repository == 'podman-container-tools/podman' runs-on: ubuntu-latest permissions: contents: write @@ -194,7 +195,8 @@ jobs: cherry-pick-on-merge: if: | github.event_name == 'pull_request' && - github.event.pull_request.merged == true + github.event.pull_request.merged == true && + github.repository == 'podman-container-tools/podman' runs-on: ubuntu-latest permissions: contents: write diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index c808aaeb77..133da019e3 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -19,6 +19,7 @@ concurrency: jobs: path-filter: runs-on: ubuntu-latest + if: github.repository == 'podman-container-tools/podman' outputs: all: ${{ steps.filter.outputs.all }} code: ${{ steps.filter.outputs.code }} @@ -46,6 +47,7 @@ jobs: validate-source: name: Validate source code changes runs-on: cncf-ubuntu-8-32-x86 + if: github.repository == 'podman-container-tools/podman' permissions: pull-requests: read # For hack/ci/pr-should-include-tests to query PR labels. env: @@ -183,6 +185,7 @@ jobs: build-alt: name: Cross Build (Linux, FreeBSD) runs-on: cncf-ubuntu-16-64-x86 + if: github.repository == 'podman-container-tools/podman' steps: - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: @@ -196,6 +199,7 @@ jobs: build: name: build ${{ matrix.distro }} + if: github.repository == 'podman-container-tools/podman' strategy: fail-fast: false matrix: @@ -210,6 +214,7 @@ jobs: windows-installer: name: windows installer ${{ matrix.provider }} runs-on: windows-2025-vs2026 + if: github.repository == 'podman-container-tools/podman' timeout-minutes: 20 permissions: contents: read @@ -285,6 +290,7 @@ jobs: macos-installer: name: macos installer runs-on: macos-26 + if: github.repository == 'podman-container-tools/podman' timeout-minutes: 15 steps: - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 diff --git a/.github/workflows/dev-bump.yml b/.github/workflows/dev-bump.yml index 2ad1bc4fe8..6452a7f568 100644 --- a/.github/workflows/dev-bump.yml +++ b/.github/workflows/dev-bump.yml @@ -8,6 +8,7 @@ permissions: {} jobs: bump: + if: github.repository == 'podman-container-tools/podman' name: Bump to -dev runs-on: ubuntu-latest permissions: diff --git a/.github/workflows/first_contrib_cert_generator.yml b/.github/workflows/first_contrib_cert_generator.yml index 383cc267a0..7da6abe060 100644 --- a/.github/workflows/first_contrib_cert_generator.yml +++ b/.github/workflows/first_contrib_cert_generator.yml @@ -22,7 +22,12 @@ jobs: screenshot_and_comment: # This job runs if the PR was merged or if it's a manual trigger. # The logic for first-time contributors is handled in a dedicated step below. - if: ${{ github.event_name == 'workflow_dispatch' || github.event.pull_request.merged == true }} + if: | + ( + github.event_name == 'workflow_dispatch' || + github.event.pull_request.merged == true + ) && + github.repository == 'podman-container-tools/podman' runs-on: ubuntu-latest permissions: contents: read # Write access for certificate storage diff --git a/.github/workflows/issue-labeler.yml b/.github/workflows/issue-labeler.yml index 12f2a59576..895527e863 100644 --- a/.github/workflows/issue-labeler.yml +++ b/.github/workflows/issue-labeler.yml @@ -8,6 +8,7 @@ permissions: jobs: triage: + if: github.repository == 'podman-container-tools/podman' permissions: contents: read # for github/issue-labeler to get repo contents issues: write # for github/issue-labeler to create or remove labels diff --git a/.github/workflows/issue_pr_lock.yml b/.github/workflows/issue_pr_lock.yml index 303eb48a07..b379bd8339 100644 --- a/.github/workflows/issue_pr_lock.yml +++ b/.github/workflows/issue_pr_lock.yml @@ -45,6 +45,7 @@ env: jobs: manage_locking: + if: github.repository == 'podman-container-tools/podman' runs-on: ubuntu-latest permissions: issues: write diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml index 8d3f141f30..22d7cba627 100644 --- a/.github/workflows/labeler.yml +++ b/.github/workflows/labeler.yml @@ -7,6 +7,7 @@ permissions: {} jobs: triage: + if: github.repository == 'podman-container-tools/podman' permissions: contents: read pull-requests: write diff --git a/.github/workflows/machine-os-pr.yml b/.github/workflows/machine-os-pr.yml index d216afd3cb..d2524c61e5 100644 --- a/.github/workflows/machine-os-pr.yml +++ b/.github/workflows/machine-os-pr.yml @@ -14,6 +14,7 @@ concurrency: jobs: podman-image-build-pr: + if: github.repository == 'podman-container-tools/podman' name: Open PR on podman-machine-os runs-on: ubuntu-latest permissions: diff --git a/.github/workflows/needs-info-labeler.yaml b/.github/workflows/needs-info-labeler.yaml index aa048b27f5..da4236686b 100644 --- a/.github/workflows/needs-info-labeler.yaml +++ b/.github/workflows/needs-info-labeler.yaml @@ -8,7 +8,9 @@ permissions: {} jobs: add-comment: - if: github.event.label.name == 'needs-info' + if: | + github.event.label.name == 'needs-info' && + github.repository == 'podman-container-tools/podman' runs-on: ubuntu-latest permissions: issues: write diff --git a/.github/workflows/release-build-artifacts.yml b/.github/workflows/release-build-artifacts.yml index 232163489f..e7b0d2b3c9 100644 --- a/.github/workflows/release-build-artifacts.yml +++ b/.github/workflows/release-build-artifacts.yml @@ -49,6 +49,7 @@ jobs: build-artifacts: name: Build Artifacts runs-on: ubuntu-latest + if: github.repository == 'podman-container-tools/podman' outputs: version_display: ${{ steps.set-version.outputs.version_display }} steps: @@ -88,6 +89,7 @@ jobs: mac-pkg: name: Build MacOS pkginstaller runs-on: macos-latest + if: github.repository == 'podman-container-tools/podman' env: APPLICATION_CERTIFICATE: ${{ secrets.MACOS_APPLICATION_CERT }} CODESIGN_IDENTITY: ${{ secrets.MACOS_APPLICATION_IDENTITY }} diff --git a/.github/workflows/release-pipeline-validation.yml b/.github/workflows/release-pipeline-validation.yml index 9377ffa057..7a20f487cb 100644 --- a/.github/workflows/release-pipeline-validation.yml +++ b/.github/workflows/release-pipeline-validation.yml @@ -17,7 +17,9 @@ jobs: get-latest-release: name: Get branch for latest release runs-on: ubuntu-latest - if: github.event_name == 'schedule' + if: | + github.event_name == 'schedule' && + github.repository == 'podman-container-tools/podman' outputs: release_ref: ${{ steps.set.outputs.release_ref }} steps: @@ -44,7 +46,9 @@ jobs: build-artifacts-main: name: Build Artifacts (main) uses: ./.github/workflows/release-build-artifacts.yml - if: github.event_name == 'schedule' + if: | + github.event_name == 'schedule' && + github.repository == 'podman-container-tools/podman' with: version: 'main' secrets: @@ -89,7 +93,9 @@ jobs: build-artifacts-single: name: Build Artifacts uses: ./.github/workflows/release-build-artifacts.yml - if: github.event_name == 'workflow_dispatch' + if: | + github.event_name == 'workflow_dispatch' && + github.repository == 'podman-container-tools/podman' with: version: ${{ inputs.ref }} secrets: @@ -110,6 +116,7 @@ jobs: validate-tokens: name: Validate GitHub tokens + if: github.repository == 'podman-container-tools/podman' runs-on: ubuntu-latest steps: - name: Validate PODMANBOT_TOKEN diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 437b7a6731..a556dcf737 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -21,6 +21,7 @@ permissions: jobs: check: + if: github.repository == 'podman-container-tools/podman' name: Check runs-on: ubuntu-latest steps: diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index 3336ad7380..7fb6c4662e 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -12,7 +12,7 @@ permissions: jobs: stale: - + if: github.repository == 'podman-container-tools/podman' permissions: issues: write # for actions/stale to close stale issues pull-requests: write # for actions/stale to close stale PRs diff --git a/.github/workflows/update-podmanio.yml b/.github/workflows/update-podmanio.yml index 3d1756da10..7873319c4c 100644 --- a/.github/workflows/update-podmanio.yml +++ b/.github/workflows/update-podmanio.yml @@ -22,6 +22,7 @@ permissions: {} jobs: bump: + if: github.repository == 'podman-container-tools/podman' name: Bump runs-on: ubuntu-24.04 permissions: