From 9379d370f745a800daf651d438925064d44499c7 Mon Sep 17 00:00:00 2001
From: Mark Kercso <mkercso@amazon.com>
Date: Fri, 28 Nov 2025 11:17:44 +0000
Subject: [PATCH] Only report build failures on protected branches

---
 .github/workflows/build-targets.yaml | 10 +++++++++-
 .github/workflows/security-scan.yaml |  5 ++++-
 2 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/build-targets.yaml b/.github/workflows/build-targets.yaml
index ed2e799..3c353f8 100644
--- a/.github/workflows/build-targets.yaml
+++ b/.github/workflows/build-targets.yaml
@@ -108,6 +108,14 @@ jobs:
       REPOSITORY: ${{ github.repository }}
       AWS_ROLE_TO_ASSUME: ${{ secrets.AWS_ROLE_TO_ASSUME }}
     steps:
+      - name: Check if protected branch
+        id: check-branch
+        run: |
+          if [[ "$GITHUB_REF_NAME" == "main" ]] || [[ "$GITHUB_REF_NAME" =~ ^[0-9]+\.[0-9]+$ ]]; then
+            echo "is_protected=true" >> $GITHUB_OUTPUT
+          else
+            echo "is_protected=false" >> $GITHUB_OUTPUT
+          fi
       - name: Use role credentials for metrics
         id: aws-creds
         continue-on-error: ${{ env.REPOSITORY != 'aws/code-editor' }}
@@ -117,7 +125,7 @@ jobs:
           role-duration-seconds: 900
           aws-region: us-east-1
       - name: Report failure
-        if: steps.aws-creds.outcome == 'success'
+        if: steps.aws-creds.outcome == 'success' && steps.check-branch.outputs.is_protected == 'true'
         run: |
           aws cloudwatch put-metric-data \
             --namespace "GitHub/Workflows" \
diff --git a/.github/workflows/security-scan.yaml b/.github/workflows/security-scan.yaml
index b57f486..0372faa 100644
--- a/.github/workflows/security-scan.yaml
+++ b/.github/workflows/security-scan.yaml
@@ -616,7 +616,10 @@ jobs:
               owner: context.repo.owner,
               repo: context.repo.repo,
               workflow_id: "build-targets.yaml",
-              ref: context.ref
+              ref: context.ref,
+              inputs: {
+                triggered_by: 'workflow'
+              }
             })
           
   handle-failures: