From e3e2cd98ec960791b1e3ac2d3720d2a2f4041031 Mon Sep 17 00:00:00 2001 From: Sam Gammon Date: Mon, 11 Mar 2024 17:37:05 -0700 Subject: [PATCH] fixup! sensitive jobs on fork pr runs Signed-off-by: Sam Gammon --- .github/workflows/codeql.yml | 8 +++++++- .github/workflows/on.pr.yml | 4 +++- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 71d62f4dc5b5..8ad14e2686f3 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -1,7 +1,13 @@ name: "CodeQL" on: - workflow_call: {} + workflow_call: + inputs: + publish: + type: boolean + description: "Publish SARIF" + default: true + workflow_dispatch: {} push: branches: ["master"] diff --git a/.github/workflows/on.pr.yml b/.github/workflows/on.pr.yml index a7cd494d7e69..42bd70976791 100644 --- a/.github/workflows/on.pr.yml +++ b/.github/workflows/on.pr.yml @@ -26,7 +26,7 @@ jobs: contents: write id-token: write with: - provenance: true + provenance: ${{ github.event.pull_request.head.repo.full_name == 'google/guava' }} provenance_publish: false snapshot: false @@ -62,3 +62,5 @@ jobs: actions: read contents: read security-events: write + with: + publish: ${{ github.event.pull_request.head.repo.full_name == 'google/guava' }}