fix: bac-24 Only run publish-beta workflow on trusted PRs

Only run this job if the PR is from a trusted collaborator (i.e. not a fork) Signed-off-by: Lucian Buzzo <lucian.buzzo@gmail.com>
cerebruminc · Mar 27, 2023 · 96c19d2 · 96c19d2
1 parent 3305ff8
commit 96c19d2
Showing 1 changed file with 3 additions and 1 deletion.
diff --git a/.github/workflows/publish-beta.yml b/.github/workflows/publish-beta.yml
@@ -6,6 +6,8 @@ on:
 jobs:
   release:
     runs-on: ubuntu-latest
+    # Only run this job if the PR is from a trusted collaborator (i.e. not a fork)
+    if: github.event.pull_request.head.repo.full_name == github.repository
     env:
       CEREBRUM_NPM_TOKEN: ${{ secrets.CEREBRUM_NPM_TOKEN }}
     steps:
@@ -38,4 +40,4 @@ jobs:
       - name: Publish beta package
         run: npm publish --tag beta
         env:
-          NODE_AUTH_TOKEN: ${{ secrets.CEREBRUM_PUBLISH_NPM_TOKEN }}
+          NODE_AUTH_TOKEN: ${{ secrets.CEREBRUM_PUBLISH_NPM_TOKEN }}