From a3684a0d5a36612b8fe00c4106d759cf933fe28e Mon Sep 17 00:00:00 2001
From: Aaron Friel <mayreply@aaronfriel.com>
Date: Tue, 15 Nov 2022 14:26:55 -0800
Subject: [PATCH] ci: Skip CI workflows on forks where permissions would cause
 workflow to fail.

---
 .github/workflows/on-pr.yml | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/on-pr.yml b/.github/workflows/on-pr.yml
index 7156c82b7200..5c6647b2ff99 100644
--- a/.github/workflows/on-pr.yml
+++ b/.github/workflows/on-pr.yml
@@ -12,9 +12,13 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+# The jobs in this workflow are only run on branches. The `on-community-pr.yml` job provides
+# commands for running workflows from forks.
+
 jobs:
   changelog-comment:
     name: changelog preview
+    if: ${{ github.event.pull_request.head.repo.full_name == github.repository }}
     permissions:
       contents: read
       pull-requests: write
@@ -28,6 +32,7 @@ jobs:
 
   info:
     name: info
+    if: ${{ github.event.pull_request.head.repo.full_name == github.repository }}
     uses: ./.github/workflows/ci-info.yml
     permissions:
       contents: read
@@ -38,6 +43,7 @@ jobs:
 
   ci:
     name: CI
+    if: ${{ github.event.pull_request.head.repo.full_name == github.repository }}
     needs: [info]
     uses: ./.github/workflows/ci.yml
     permissions:
@@ -65,7 +71,11 @@ jobs:
 
   prepare-release:
     name: prepare
-    if: ${{ contains(github.event.pull_request.labels.*.name, 'ci/test') }}
+    if: |
+      ${{
+        github.event.pull_request.head.repo.full_name == github.repository
+        && contains(github.event.pull_request.labels.*.name, 'ci/test')
+      }}
     needs: [info, ci]
     uses: ./.github/workflows/ci-prepare-release.yml
     permissions: