CI: Skip vault secrets and publish-report for fork PRs#2547
CI: Skip vault secrets and publish-report for fork PRs#2547
Conversation
Fork PRs fail CI because they can't access Grafana's Vault via OIDC and lack write permissions to push to gh-pages. Gate all vault secret steps, sign-plugin, Docker login and publish-report with a fork check so external contributors get green CI on the jobs that can run without internal secrets. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
sunker
added
the
no-changelog
|
Hello! 👋 This repository uses Auto for releasing packages using PR labels. ✨ This PR can be merged. It will not be considered when calculating future versions of the npm packages and will not appear in the changelogs. |
| NX_BRANCH: ${{ github.event.number || github.ref_name }} | ||
| steps: | ||
| - id: get-secrets | ||
| if: ${{ github.event.pull_request.head.repo.fork != true }} |
There was a problem hiding this comment.
is this a github workflow thing or can we write ${{ github.event.pull_request.head.repo.fork == false }} instead?
There was a problem hiding this comment.
According to Claude, on push events github.event.pull_reques is null, so .head.repo.fork is also null. null != true evaluates to true (step runs), but null == false would be false and skip vault secrets on main. This is kind of hard to verify, but it's describe here: https://github.com/orgs/community/discussions/25645
There was a problem hiding this comment.
Pull request overview
Updates the main CI workflow to avoid running secret-dependent steps and report publishing for pull requests coming from forks, so external contributors can get passing CI without access to internal credentials.
Changes:
- Gate Vault secret retrieval steps behind a fork check.
- Gate Docker Hub login and
sign-pluginusage behind a fork check. - Gate the
publish-reportjob behind a fork check.
grafana-plugins-platform-bot
bot
moved this from 📬 Triage
to 🔬 In review
in Grafana Catalog Team
Keep the existing dependabot[bot] actor check alongside the new fork check to avoid an unintended behavior change. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
What this PR does / why we need it:
Gates vault secret steps, sign-plugin, Docker Hub login and the
publish-reportjob with a fork check so external contributors get green CI.Which issue(s) this PR fixes:
Fixes the CI failures on #2498.
Special notes for your reviewer: N/A