Skip RTD checks in CI when PR comes from outside the organization

[freakboy3742]

Describe the bug

When a PR to this repo is submitted from outside the organisation (eg, a dependbot update), CI tasks checking RTD will fail.

Steps to reproduce

Submit a PR from a non-BeeWare repo. CI will fail the "Verify Docs Build (briefcase)" and "Verify Docs Build (toga)" tasks.

Expected behavior

CI should pass green, with the RTD tests being skipped.

Screenshots

No response

Environment

• Operating System: CI

Logs

See https://github.com/beeware/.github/actions/runs/9538701504/job/26288364901?pr=144

Run echo "Verifying docs for v0.3.13 were successfully built:"
  echo "Verifying docs for v0.3.13 were successfully built:"
  while true
  do
      RTD_RESPONSE=$(curl -s -H "Authorization: Token " "${RTD_API_URL}")
      IS_DOCS_BUILT=$(jq .built <<< ${RTD_RESPONSE})
  
      echo "::group::IS_DOCS_BUILT=${IS_DOCS_BUILT}"
      jq <<< ${RTD_RESPONSE}
      echo "::endgroup::"
  
      if [[ "${IS_DOCS_BUILT}" == "true" ]]; then
          exit 0
      fi
  
      sleep 5
  done
  shell: /usr/bin/bash --noprofile --norc -e -o pipefail {0}
  env:
    RTD_API_URL: https://readthedocs.org/api/v3/projects/briefcase/versions/v0.3.13/
Verifying docs for v0.3.13 were successfully built:
IS_DOCS_BUILT=null
  {
    "detail": "Invalid token header. No credentials provided."
  }

...

IS_DOCS_BUILT=null
  {
    "detail": "Invalid token header. No credentials provided."
  }
Error: The operation was canceled.

Additional context

The problem appears to be that the job requires an API token, but that API token isn't exposed to external PRs.

In practice, this isn't an issue, as PRs from BeeWare (such as the autoupdate script) and use in downstream repos (where it is part of the release workflows) will always have access to the token. This is purely an inconvenience for evaluating PRs submitted to this repo - and even then, only dependabot PRs.

We either need to skip these tests if the submitting repository isn't beeware; or switch to a mechanism of evaluating a build that doesn't require an API token (e.g., a direct inspection of the expected published page, looking for a 404?)

This isn't a new problem has existed for a while; it's easy enough to work around, but I figured if someone has some spare time, it would be a nice bit of polish to fix it.

[rmartin16]

The jobs in CI for this repo are already excluded for PRs from forks:

  test-docs-build-verify:
    name: Verify Docs Build
    needs: pre-commit
    # inherited secrets are not exposed to forked repos
    if: ${{ github.event.pull_request.head.repo.owner.login == 'beeware' }}

The issue here isn't that the PR is from a fork but that GitHub has special-cased secrets handling for Dependabot. That is, normally if a user has permission to create a PR against the repo, the CI jobs will have access to the repo's secrets. For Dependabot, though, that isn't true; secrets are managed entirely independently for Dependabot.

So, if you add this RTD token as a secret for Dependabot, these jobs should stop failing.

Alternatively, we could exclude these jobs from Dependabot PRs as well.

[freakboy3742]

Well that's easy then... I've just added the token for Dependabot.