fixup! sensitive jobs on fork pr runs

Signed-off-by: Sam Gammon <sam@elide.ventures>

.github/workflows/codeql.yml

@@ -1,7 +1,13 @@
 name: "CodeQL"
 
 on:
-  workflow_call: {}
+  workflow_call:
+    inputs:
+      publish:
+        type: boolean
+        description: "Publish SARIF"
+        default: true
+
   workflow_dispatch: {}
   push:
     branches: ["master"]

.github/workflows/on.pr.yml

@@ -26,7 +26,7 @@ jobs:
       contents: write
       id-token: write
     with:
-      provenance: true
+      provenance: ${{ github.event.pull_request.head.repo.full_name == 'google/guava' }}
       provenance_publish: false
       snapshot: false
 
@@ -62,3 +62,5 @@ jobs:
       actions: read
       contents: read
       security-events: write
+    with:
+      publish: ${{ github.event.pull_request.head.repo.full_name == 'google/guava' }}