[CI] Fix issues with checking PRs created against repository forks

.github/workflows/engine-nightly.yml

@@ -270,7 +270,7 @@ jobs:
       - run: ./run backend test jvm
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      - if: success() || failure()
+      - if: (success() || failure()) && github.event.pull_request.head.repo.full_name == github.repository
         name: Engine Test Reporter
         uses: dorny/test-reporter@v1
         with:
@@ -327,7 +327,7 @@ jobs:
       - run: ./run backend test jvm
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      - if: success() || failure()
+      - if: (success() || failure()) && github.event.pull_request.head.repo.full_name == github.repository
         name: Engine Test Reporter
         uses: dorny/test-reporter@v1
         with:
@@ -382,7 +382,7 @@ jobs:
       - run: ./run backend test jvm
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      - if: success() || failure()
+      - if: (success() || failure()) && github.event.pull_request.head.repo.full_name == github.repository
         name: Engine Test Reporter
         uses: dorny/test-reporter@v1
         with:
@@ -438,7 +438,7 @@ jobs:
       - run: ./run backend test jvm
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      - if: success() || failure()
+      - if: (success() || failure()) && github.event.pull_request.head.repo.full_name == github.repository
         name: Engine Test Reporter
         uses: dorny/test-reporter@v1
         with:
@@ -494,7 +494,7 @@ jobs:
       - run: ./run backend test jvm
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      - if: success() || failure()
+      - if: (success() || failure()) && github.event.pull_request.head.repo.full_name == github.repository
         name: Engine Test Reporter
         uses: dorny/test-reporter@v1
         with:
@@ -553,7 +553,7 @@ jobs:
           ENSO_LIB_S3_AWS_REGION: ${{ secrets.ENSO_LIB_S3_AWS_REGION }}
           ENSO_LIB_S3_AWS_SECRET_ACCESS_KEY: ${{ secrets.ENSO_LIB_S3_AWS_SECRET_ACCESS_KEY }}
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      - if: success() || failure()
+      - if: (success() || failure()) && github.event.pull_request.head.repo.full_name == github.repository
         name: Standard Library Test Reporter
         uses: dorny/test-reporter@v1
         with:
@@ -613,7 +613,7 @@ jobs:
           ENSO_LIB_S3_AWS_REGION: ${{ secrets.ENSO_LIB_S3_AWS_REGION }}
           ENSO_LIB_S3_AWS_SECRET_ACCESS_KEY: ${{ secrets.ENSO_LIB_S3_AWS_SECRET_ACCESS_KEY }}
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      - if: success() || failure()
+      - if: (success() || failure()) && github.event.pull_request.head.repo.full_name == github.repository
         name: Standard Library Test Reporter
         uses: dorny/test-reporter@v1
         with:
@@ -671,7 +671,7 @@ jobs:
           ENSO_LIB_S3_AWS_REGION: ${{ secrets.ENSO_LIB_S3_AWS_REGION }}
           ENSO_LIB_S3_AWS_SECRET_ACCESS_KEY: ${{ secrets.ENSO_LIB_S3_AWS_SECRET_ACCESS_KEY }}
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      - if: success() || failure()
+      - if: (success() || failure()) && github.event.pull_request.head.repo.full_name == github.repository
         name: Standard Library Test Reporter
         uses: dorny/test-reporter@v1
         with:
@@ -730,7 +730,7 @@ jobs:
           ENSO_LIB_S3_AWS_REGION: ${{ secrets.ENSO_LIB_S3_AWS_REGION }}
           ENSO_LIB_S3_AWS_SECRET_ACCESS_KEY: ${{ secrets.ENSO_LIB_S3_AWS_SECRET_ACCESS_KEY }}
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      - if: success() || failure()
+      - if: (success() || failure()) && github.event.pull_request.head.repo.full_name == github.repository
         name: Standard Library Test Reporter
         uses: dorny/test-reporter@v1
         with:
@@ -789,7 +789,7 @@ jobs:
           ENSO_LIB_S3_AWS_REGION: ${{ secrets.ENSO_LIB_S3_AWS_REGION }}
           ENSO_LIB_S3_AWS_SECRET_ACCESS_KEY: ${{ secrets.ENSO_LIB_S3_AWS_SECRET_ACCESS_KEY }}
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      - if: success() || failure()
+      - if: (success() || failure()) && github.event.pull_request.head.repo.full_name == github.repository
         name: Standard Library Test Reporter
         uses: dorny/test-reporter@v1
         with:

.github/workflows/scala-new.yml

@@ -193,7 +193,7 @@ jobs:
       - run: ./run backend test jvm
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      - if: success() || failure()
+      - if: (success() || failure()) && github.event.pull_request.head.repo.full_name == github.repository
         name: Engine Test Reporter
         uses: dorny/test-reporter@v1
         with:
@@ -248,7 +248,7 @@ jobs:
       - run: ./run backend test jvm
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      - if: success() || failure()
+      - if: (success() || failure()) && github.event.pull_request.head.repo.full_name == github.repository
         name: Engine Test Reporter
         uses: dorny/test-reporter@v1
         with:
@@ -304,7 +304,7 @@ jobs:
       - run: ./run backend test jvm
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      - if: success() || failure()
+      - if: (success() || failure()) && github.event.pull_request.head.repo.full_name == github.repository
         name: Engine Test Reporter
         uses: dorny/test-reporter@v1
         with:
@@ -363,7 +363,7 @@ jobs:
           ENSO_LIB_S3_AWS_REGION: ${{ secrets.ENSO_LIB_S3_AWS_REGION }}
           ENSO_LIB_S3_AWS_SECRET_ACCESS_KEY: ${{ secrets.ENSO_LIB_S3_AWS_SECRET_ACCESS_KEY }}
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      - if: success() || failure()
+      - if: (success() || failure()) && github.event.pull_request.head.repo.full_name == github.repository
         name: Standard Library Test Reporter
         uses: dorny/test-reporter@v1
         with:
@@ -421,7 +421,7 @@ jobs:
           ENSO_LIB_S3_AWS_REGION: ${{ secrets.ENSO_LIB_S3_AWS_REGION }}
           ENSO_LIB_S3_AWS_SECRET_ACCESS_KEY: ${{ secrets.ENSO_LIB_S3_AWS_SECRET_ACCESS_KEY }}
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      - if: success() || failure()
+      - if: (success() || failure()) && github.event.pull_request.head.repo.full_name == github.repository
         name: Standard Library Test Reporter
         uses: dorny/test-reporter@v1
         with:
@@ -480,7 +480,7 @@ jobs:
           ENSO_LIB_S3_AWS_REGION: ${{ secrets.ENSO_LIB_S3_AWS_REGION }}
           ENSO_LIB_S3_AWS_SECRET_ACCESS_KEY: ${{ secrets.ENSO_LIB_S3_AWS_SECRET_ACCESS_KEY }}
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      - if: success() || failure()
+      - if: (success() || failure()) && github.event.pull_request.head.repo.full_name == github.repository
         name: Standard Library Test Reporter
         uses: dorny/test-reporter@v1
         with:

build/build/src/ci_gen.rs

@@ -146,6 +146,13 @@ pub fn not_default_branch() -> String {
     format!("github.ref != 'refs/heads/{DEFAULT_BRANCH_NAME}'")
 }
 
+/// Expression piece that evaluates to `true` if we are **not** building a fork.
+///
+/// As fork builds are run with different permissions, sometimes we need to skip some steps.
+pub fn not_a_fork() -> String {
+    "github.event.pull_request.head.repo.full_name == github.repository".into()
+}
+
 pub fn release_concurrency() -> Concurrency {
     Concurrency::new(RELEASE_CONCURRENCY_GROUP)
 }

build/build/src/ci_gen/step.rs

@@ -1,5 +1,6 @@
 use crate::prelude::*;
 
+use crate::ci_gen::not_a_fork;
 use crate::paths;
 
 use ide_ci::actions::workflow::definition::env_expression;
@@ -17,7 +18,8 @@ pub fn test_reporter(
     Step {
         name: Some(step_name.into()),
         uses: Some("dorny/test-reporter@v1".into()),
-        r#if: Some("success() || failure()".into()),
+        // The action does not support running on forks.
+        r#if: Some(format!("(success() || failure()) && {}", not_a_fork())),
         ..default()
     }
     .with_custom_argument("reporter", "java-junit")

build/build/src/ide/web.rs

@@ -10,7 +10,11 @@ use crate::version::ENSO_VERSION;
 use anyhow::Context;
 use ide_ci::env::known::electron_builder::WindowsSigningCredentials;
 use ide_ci::io::download_all;
+
+
+
 use ide_ci::program::command::FallibleManipulator;
+use ide_ci::program::command::Manipulator;
 use ide_ci::programs::node::NpmCommand;
 use ide_ci::programs::Npm;
 use sha2::Digest;
@@ -169,6 +173,23 @@ pub fn path_to_executable_in_pm_bundle(
         .context("Failed to generate in-bundle path to Project Manager executable.")
 }
 
+/// When secrets are not available in CI builds (e.g. when building a PR from a fork), the variables
+/// are set to empty strings. This manipulator removes such variables from the environment.
+#[derive(Clone, Copy, Debug)]
+pub struct RemoveEmptyCscEnvVars;
+
+impl Manipulator for RemoveEmptyCscEnvVars {
+    fn apply<C: IsCommandWrapper + ?Sized>(&self, command: &mut C) {
+        for var in ide_ci::env::known::electron_builder::CI_CSC_SECRETS {
+            if let Ok(value) = std::env::var(var)
+                && value.is_empty()
+            {
+                command.env_remove(var);
+            }
+        }
+    }
+}
+
 #[derive(Clone, Copy, Debug)]
 pub enum Workspaces {
     Icons,
@@ -326,6 +347,7 @@ impl IdeDesktop {
 
         self.npm()?
             .try_applying(&icons)?
+            .apply(&RemoveEmptyCscEnvVars)
             // .env("DEBUG", "electron-builder")
             .set_env(env::ENSO_BUILD_GUI, gui.as_ref())?
             .set_env(env::ENSO_BUILD_IDE, output_path)?

build/ci_utils/src/env/known/electron_builder.rs

@@ -46,7 +46,18 @@ define_env_var! {
     CSC_FOR_PULL_REQUEST, bool;
 }
 
-
+/// Environment variables set from CI-provided secrets that allow code signing.
+///
+/// These variables might be set to empty strings if the secrets are not available in the CI.
+pub const CI_CSC_SECRETS: &[&str] = &[
+    WIN_CSC_LINK.name,
+    WIN_CSC_KEY_PASSWORD.name,
+    CSC_LINK.name,
+    CSC_KEY_PASSWORD.name,
+    APPLEID.name,
+    APPLEIDPASS.name,
+    APPLETEAMID.name,
+];
 
 /// CSC (Code Signing Certificate) link.
 ///
@@ -86,6 +97,8 @@ impl CscLink {
     /// Create a new certificate file from the environment variable.
     pub fn new_from_env() -> Result<Self> {
         let csc_link = WIN_CSC_LINK.get().or_else(|_| CSC_LINK.get())?;
+        // When secret is not available, we might get a variable with an empty value.
+        ensure!(!csc_link.is_empty(), "CSC link is empty.");
         Self::from_str(&csc_link)
     }
 }

test/AWS_Tests/src/S3_Spec.enso

@@ -22,12 +22,11 @@ import enso_dev.Base_Tests.Network.Enso_Cloud.Cloud_Tests_Setup.Cloud_Tests_Setu
 import enso_dev.Base_Tests.System.File_Spec as Local_File_Spec
 
 test_credentials -> AWS_Credential ! Illegal_State =
-    access_key_id = Environment.get "ENSO_LIB_S3_AWS_ACCESS_KEY_ID"
-    secret_access_key = Environment.get "ENSO_LIB_S3_AWS_SECRET_ACCESS_KEY"
-    credentials = access_key_id.if_not_nothing <|
-        secret_access_key.if_not_nothing <|
-            AWS_Credential.Key access_key_id secret_access_key
-    credentials.if_nothing (Error.throw (Illegal_State.Error "No AWS credentials found in the environment."))
+    access_key_id = Environment.get "ENSO_LIB_S3_AWS_ACCESS_KEY_ID" ""
+    secret_access_key = Environment.get "ENSO_LIB_S3_AWS_SECRET_ACCESS_KEY" ""
+    credentials_set = access_key_id.not_empty && secret_access_key.not_empty
+    if credentials_set then AWS_Credential.Key access_key_id secret_access_key else
+        Error.throw (Illegal_State.Error "No AWS credentials found in the environment.")
 
 ## Runs the action, overriding `AWS_Credential.Default` to point to `test_credentials`.
 with_default_credentials ~action =