From e3e2cd98ec960791b1e3ac2d3720d2a2f4041031 Mon Sep 17 00:00:00 2001
From: Sam Gammon <sam@elide.ventures>
Date: Mon, 11 Mar 2024 17:37:05 -0700
Subject: [PATCH] fixup! sensitive jobs on fork pr runs

Signed-off-by: Sam Gammon <sam@elide.ventures>
---
 .github/workflows/codeql.yml | 8 +++++++-
 .github/workflows/on.pr.yml  | 4 +++-
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 71d62f4dc5b5..8ad14e2686f3 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -1,7 +1,13 @@
 name: "CodeQL"
 
 on:
-  workflow_call: {}
+  workflow_call:
+    inputs:
+      publish:
+        type: boolean
+        description: "Publish SARIF"
+        default: true
+
   workflow_dispatch: {}
   push:
     branches: ["master"]
diff --git a/.github/workflows/on.pr.yml b/.github/workflows/on.pr.yml
index a7cd494d7e69..42bd70976791 100644
--- a/.github/workflows/on.pr.yml
+++ b/.github/workflows/on.pr.yml
@@ -26,7 +26,7 @@ jobs:
       contents: write
       id-token: write
     with:
-      provenance: true
+      provenance: ${{ github.event.pull_request.head.repo.full_name == 'google/guava' }}
       provenance_publish: false
       snapshot: false
 
@@ -62,3 +62,5 @@ jobs:
       actions: read
       contents: read
       security-events: write
+    with:
+      publish: ${{ github.event.pull_request.head.repo.full_name == 'google/guava' }}