CI: skip Snyk check on forks PR (#3453)

Since the Snyk action requires some secrets that aren't not available on PRs created from a fork, we skip them to avoid this kind of security issues. Closes: #3451 Signed-off-by: Tao Li <tao.li@enterprisedb.com> Signed-off-by: Jonathan Gonzalez V <jonathan.gonzalez@enterprisedb.com> Signed-off-by: Niccolò Fei <niccolo.fei@enterprisedb.com> Co-authored-by: Jonathan Gonzalez V <jonathan.gonzalez@enterprisedb.com> Co-authored-by: Niccolò Fei <niccolo.fei@enterprisedb.com> (cherry picked from commit 057039a)
cloudnative-pg · Dec 11, 2023 · f125617 · f125617
1 parent e374853
commit f125617
Showing 1 changed file with 5 additions and 1 deletion.
diff --git a/.github/workflows/continuous-integration.yml b/.github/workflows/continuous-integration.yml
@@ -560,6 +560,9 @@ jobs:
 
       - name: Run Snyk to check Docker image for vulnerabilities
         uses: snyk/actions/docker@master
+        if: |
+          github.repository_owner == 'cloudnative-pg' &&
+          !github.event.pull_request.head.repo.fork
         continue-on-error: true
         env:
           SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
@@ -570,7 +573,8 @@ jobs:
       - name: Upload result to GitHub Code Scanning
         uses: github/codeql-action/upload-sarif@v2
         if: |
-          github.repository_owner == 'cloudnative-pg'
+          github.repository_owner == 'cloudnative-pg' &&
+          !github.event.pull_request.head.repo.fork
         with:
           sarif_file: snyk.sarif