ci: Restrict the attestations to only be created when running within …

…the main repo
tektronix · May 21, 2024 · b918a63 · b918a63
1 parent 8cab808
commit b918a63
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 2 deletions.
diff --git a/.github/workflows/package-build.yml b/.github/workflows/package-build.yml
@@ -30,7 +30,7 @@ jobs:
       - uses: hynek/build-and-inspect-python-package@v2.5.0
         id: build-pkg
         with:
-          attest-build-provenance-github: ${{ github.event.pull_request.head.repo.fork != 'true' && github.event.workflow_call.pull_request.head.repo.fork != 'true' }}
+          attest-build-provenance-github: ${{ github.event.pull_request.head.repo.full_name != github.repository && github.event.workflow_call.pull_request.head.repo.full_name != github.repository && github.actor != 'dependabot[bot]' }}
       - name: Set up Python
         uses: actions/setup-python@v5
         with:

diff --git a/.github/workflows/sbom-scan.yml b/.github/workflows/sbom-scan.yml
@@ -31,7 +31,7 @@ jobs:
           format: spdx-json
           output-file: ${{ github.event.repository.name }}-sbom.spdx.json
       - uses: actions/attest-build-provenance@v1
-        if: ${{ github.event.pull_request.head.repo.fork != 'true' && github.event.workflow_call.pull_request.head.repo.fork != 'true' }}
+        if: ${{ github.event.pull_request.head.repo.full_name != github.repository && github.event.workflow_call.pull_request.head.repo.full_name != github.repository && github.actor != 'dependabot[bot]' }}
         with:
           subject-path: ${{ github.event.repository.name }}-sbom.spdx.json
       - name: Scan SBOM