workflows: condition steps with secrets on pull_request_target event

In a pull_request event, vars are available, but secrets are not. Thus the steps will run, even though there is no secret to request those tokens - they will fail. The intent was, to skip them entirely in that case. (cherry picked from commit 50f6d8d909)
2026-01-12 02:40:31 +08:00 · 2025-06-02 20:33:47 +02:00
parent af3b972675
commit ce311c48af
2 changed files with 3 additions and 3 deletions
--- a/.github/workflows/codeowners-v2.yml
+++ b/.github/workflows/codeowners-v2.yml
@@ -67,7 +67,7 @@ jobs:
        run: nix-build trusted/ci -A codeownersValidator

      - uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e # v2.0.6
-        if: vars.OWNER_RO_APP_ID
+        if: github.event_name == 'pull_request_target' && vars.OWNER_RO_APP_ID
        id: app-token
        with:
          app-id: ${{ vars.OWNER_RO_APP_ID }}
@@ -103,7 +103,7 @@ jobs:
        run: nix-build trusted/ci -A requestReviews

      - uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e # v2.0.6
-        if: vars.OWNER_APP_ID
+        if: github.event_name == 'pull_request_target' && vars.OWNER_APP_ID
        id: app-token
        with:
          app-id: ${{ vars.OWNER_APP_ID }}
--- a/.github/workflows/reviewers.yml
+++ b/.github/workflows/reviewers.yml
@@ -44,7 +44,7 @@ jobs:
      # See ./codeowners-v2.yml, reuse the same App because we need the same permissions
      # Can't use the token received from permissions above, because it can't get enough permissions
      - uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e # v2.0.6
-        if: vars.OWNER_APP_ID
+        if: github.event_name == 'pull_request_target' && vars.OWNER_APP_ID
        id: app-token
        with:
          app-id: ${{ vars.OWNER_APP_ID }}