fix(ci): skip permissioned workflows on external PRs (#33724)

2026-02-04 03:01:23 +01:00 · 2025-06-23 22:46:03 +02:00
parent 4d1e3edf51
commit 4eded46979
5 changed files with 12 additions and 8 deletions
--- a/.github/workflows/call-flags-project-board.yml
+++ b/.github/workflows/call-flags-project-board.yml
@@ -10,6 +10,8 @@ on:
 jobs:
    call-flags-project:
        uses: PostHog/.github/.github/workflows/flags-project-board.yml@main
+        # Only on PostHog/posthog, as there's no GitHub token on forks
+        if: ${{ github.event.pull_request.head.repo.full_name == github.repository }}
        with:
            pr_number: ${{ github.event.pull_request.number }}
            pr_node_id: ${{ github.event.pull_request.node_id }}
--- a/.github/workflows/ci-backend.yml
+++ b/.github/workflows/ci-backend.yml
@@ -438,10 +438,9 @@ jobs:
        needs: [django, async-migrations]
        runs-on: ubuntu-latest
        if: # Run on pull requests to PostHog/posthog + on PostHog/posthog outside of PRs - but never on forks
-            needs.changes.outputs.backend == 'true' &&
-            (
-            github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name || github.repository
-            ) == 'PostHog/posthog'
+            needs.changes.outputs.backend == 'true' && (
+            (github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == 'PostHog/posthog') ||
+            (github.event_name != 'pull_request' && github.repository == 'PostHog/posthog'))
        steps:
            - name: Calculate running time
              run: |
--- a/.github/workflows/ci-e2e-playwright.yml
+++ b/.github/workflows/ci-e2e-playwright.yml
@@ -15,7 +15,7 @@ jobs:
    changes:
        runs-on: ubuntu-latest
        timeout-minutes: 5
-        if: github.repository == 'PostHog/posthog'
+        if: github.event.pull_request.head.repo.full_name == github.repository
        name: Determine need to run E2E checks
        # Set job outputs to values from filter step
        outputs:
--- a/.github/workflows/ci-frontend.yml
+++ b/.github/workflows/ci-frontend.yml
@@ -369,7 +369,10 @@ jobs:
        name: Calculate running time
        needs: [jest, frontend-typescript-checks, frontend-linting, frontend-toolbar-checks, frontend-eslint, changes]
        runs-on: depot-ubuntu-24.04
-        if: needs.changes.outputs.frontend == 'true'
+        if: # Run on pull requests to PostHog/posthog + on PostHog/posthog outside of PRs - but never on forks
+            needs.changes.outputs.frontend == 'true' && (
+            (github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == 'PostHog/posthog') ||
+            (github.event_name != 'pull_request' && github.repository == 'PostHog/posthog'))
        steps:
            - name: Calculate running time
              run: |
--- a/.github/workflows/storybook-chromatic.yml
+++ b/.github/workflows/storybook-chromatic.yml
@@ -489,8 +489,8 @@ jobs:
        runs-on: ubuntu-latest
        if: # Run on pull requests to PostHog/posthog + on PostHog/posthog outside of PRs - but never on forks
            needs.changes.outputs.frontend == 'true' && (
-            github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name || github.repository
-            ) == 'PostHog/posthog'
+            (github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == 'PostHog/posthog') ||
+            (github.event_name != 'pull_request' && github.repository == 'PostHog/posthog'))
        steps:
            - name: Calculate running time
              run: |