Block fork pull request workflow jobs

[harjotgill]

Summary

• Skip GitHub Actions jobs for pull requests opened from forks.
• Keep push, merge queue, issue, and same-repository pull request behavior unchanged.

Why

Public fork pull requests can run attacker-controlled workflow code. Skipping those jobs prevents those pull requests from reaching repository secrets through GitHub Actions.

Validation

• Parsed the changed workflow files with yq e '.'.

Summary by CodeRabbit

• Chores
  • Optimized continuous integration workflow configuration for improved development efficiency.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 2b38d741-b62b-4921-bc31-2e317790d857

📥 Commits

Reviewing files that changed from the base of the PR and between 4fe2d08 and b48be63.

📒 Files selected for processing (1)

• .github/workflows/lint.yml

---

Walkthrough

Added conditional if: gates to three CI jobs (shellcheck, completions, test) in the lint workflow. Each job now restricts execution to non-PR events or pull requests originating from the same repository, preventing workflow runs on external fork contributions.

Changes

CI Job Security Gates

Layer / File(s)	Summary
Conditional gates for CI jobs .github/workflows/lint.yml	shellcheck, completions, and test jobs now include if: conditions to run only for non-PR events or PRs from the same repository.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

🐰 Three jobs now stand at the gate with care,
External forks? They shall not enter there!
Same repo PRs and direct commits flow free,
A safer workflow, efficient and key! 🔐

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Block fork pull request workflow jobs' accurately and concisely describes the main change—restricting GitHub Actions workflow jobs from running on pull requests from forks.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch coderabbit/actions-lockdown-external-prs

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}