From a6dfe2bfb8624816d3f5ebb2a61b08fcf6eab087 Mon Sep 17 00:00:00 2001 From: Aryamanz29 Date: Wed, 22 Apr 2026 15:35:03 +0530 Subject: [PATCH 1/2] fix(ci): skip secret-dependent jobs on fork PRs [BLDX-1113] Add fork detection to jobs that require org secrets (ORG_PAT_GITHUB, CHAINGUARD_*, database credentials). Fork PRs now gracefully skip these jobs instead of failing with "token not supplied". Jobs gated on fork != true: - Conventional Commits (needs ORG_PAT_GITHUB) - Trivy Container Scan (needs Chainguard creds) - Run Examples (needs Postgres/Snowflake creds) - E2E Apps (needs ORG_PAT to trigger external workflows) Jobs that still run on forks: - Changes detection, Docstring coverage, Trivy code scan - Unit tests, Integration tests - Helm lint, E2E K8s --- .github/workflows/pull_request.yaml | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/.github/workflows/pull_request.yaml b/.github/workflows/pull_request.yaml index 2976e7366..0434fa60b 100644 --- a/.github/workflows/pull_request.yaml +++ b/.github/workflows/pull_request.yaml @@ -35,9 +35,10 @@ jobs: - 'uv.lock' - 'examples/**' - # Conventional Commits + # Conventional Commits (skipped on fork PRs — no org PAT available) commits: name: Conventional Commits + if: github.event.pull_request.head.repo.fork != true runs-on: ubuntu-latest steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -74,7 +75,7 @@ jobs: trivy-container: name: Trivy Container Scan needs: changes - if: needs.changes.outputs.container == 'true' + if: needs.changes.outputs.container == 'true' && github.event.pull_request.head.repo.fork != true runs-on: ubuntu-latest steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -252,7 +253,7 @@ jobs: run-examples: name: Run Examples needs: matrix-builder - if: ((github.event.action == 'labeled' && github.event.label.name == 'run-examples') || contains(github.event.pull_request.labels.*.name, 'run-examples')) + if: ((github.event.action == 'labeled' && github.event.label.name == 'run-examples') || contains(github.event.pull_request.labels.*.name, 'run-examples')) && github.event.pull_request.head.repo.fork != true runs-on: ${{ matrix.os }} strategy: fail-fast: false @@ -274,7 +275,7 @@ jobs: e2e-apps: name: E2E (Apps) needs: [changes, matrix-builder] - if: ((github.event.action == 'labeled' && github.event.label.name == 'e2e-test') || contains(github.event.pull_request.labels.*.name, 'e2e-test')) + if: ((github.event.action == 'labeled' && github.event.label.name == 'e2e-test') || contains(github.event.pull_request.labels.*.name, 'e2e-test')) && github.event.pull_request.head.repo.fork != true runs-on: ubuntu-latest strategy: fail-fast: false From 13e441a31fa8e34a3379ccdfe023e8c7c606e68f Mon Sep 17 00:00:00 2001 From: vaibhavatlan Date: Wed, 22 Apr 2026 17:46:14 +0530 Subject: [PATCH 2/2] fix(ci): include .github changes in code paths-filter Workflow-only PRs were stuck because the paths-filter never set code=true, so required checks (Unit Tests matrix) never ran and GitHub waited forever for status to be reported. Co-Authored-By: Claude Opus 4.6 (1M context) --- .github/workflows/pull_request.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/pull_request.yaml b/.github/workflows/pull_request.yaml index 0434fa60b..77dac1fbf 100644 --- a/.github/workflows/pull_request.yaml +++ b/.github/workflows/pull_request.yaml @@ -34,6 +34,7 @@ jobs: - 'pyproject.toml' - 'uv.lock' - 'examples/**' + - '.github/**' # Conventional Commits (skipped on fork PRs — no org PAT available) commits: