Block fork pull request workflow jobs

[harjotgill]

Summary

• Skip GitHub Actions jobs for pull requests opened from forks.
• Keep push, merge queue, issue, and same-repository pull request behavior unchanged.

Why

Public fork pull requests can run attacker-controlled workflow code. Skipping those jobs prevents those pull requests from reaching repository secrets through GitHub Actions.

Validation

• Parsed the changed workflow files with yq e '.'.

Summary by CodeRabbit

• Chores
  • Updated automated workflow execution conditions to improve CI/CD pipeline reliability and consistency across different development scenarios.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Central YAML (base), Repository UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 24588efb-b395-4391-8f26-38baa12e93ee

📥 Commits

Reviewing files that changed from the base of the PR and between 4a0381f and ed0d785.

📒 Files selected for processing (1)

• .github/workflows/node.js.yaml

---

📝 Walkthrough

Walkthrough

Conditional execution logic for the test and fix workflow jobs is updated to add repository-match guards. Both jobs now explicitly require the PR head repository to match the target repository, preventing execution on forked pull requests.

Changes

CI Fork Safety Guards

Layer / File(s)	Summary
Repository match guards for workflow jobs .github/workflows/node.js.yaml	test and fix jobs updated to require PR event absence or matching repository to prevent fork executions.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Suggested labels

enhancement

Poem

🐰 A rabbit hops through workflows grand,
Adding guards across the land,
Forks now blocked with careful care,
Only trusted repos declare!

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically describes the main change: blocking fork pull request workflow jobs, which directly aligns with the changeset's purpose.
Description check	✅ Passed	The description provides a comprehensive explanation with summary, rationale, and validation details, though it doesn't strictly follow the provided template structure with the specified section headings.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch coderabbit/actions-lockdown-external-prs

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}