From 414a540a396cf46ffccabec002dbf5f0465d3319 Mon Sep 17 00:00:00 2001
From: Derek Cormier <derek@aspect.dev>
Date: Mon, 8 Jan 2024 10:11:12 -0800
Subject: [PATCH] ci: don't run e2es on PRs from forks

---
 .github/workflows/ci.yaml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index aac2a4f..6c90d6a 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -23,6 +23,10 @@ jobs:
 
   e2e:
     runs-on: ubuntu-latest
+    # Don't run e2es on PRs from forks as it requires access to secrets
+    # when using `pull_request`.
+    # See https://securitylab.github.com/research/github-actions-preventing-pwn-requests
+    if: ${{ github.event.pull_request.head.repo.full_name == 'bazel-contrib/publish-to-bcr' }}
     steps:
       - uses: actions/checkout@v4
       - uses: actions/setup-node@v4