Block fork pull request workflow jobs

[harjotgill]

Summary

• Skip GitHub Actions jobs for pull requests opened from forks.
• Keep push, merge queue, issue, and same-repository pull request behavior unchanged.

Why

Public fork pull requests can run attacker-controlled workflow code. Skipping those jobs prevents those pull requests from reaching repository secrets through GitHub Actions.

Validation

• Parsed the changed workflow files with yq e '.'.

Summary by CodeRabbit

• Chores
  • Strengthened GitHub Actions guards: workflows now limit job runs to repository pushes or pull requests originating from the same repository, reducing runs on forks.
  • Corrected bot identity used in automated responses to ensure proper actor matching.
  • Applied these conditional checks across CI, security scanning, issue-response, and project automation workflows.

[github-actions]

👋 Hi! Thank you for this contribution! Just to let you know, our GitHub SDK team does a round of issue and PR reviews twice a week, every Monday and Friday! We have a process in place for prioritizing and responding to your input. Because you are a part of this community please feel free to comment, add to, or pick up any issues/PRs that are labled with Status: Up for grabs. You & others like you are the reason all of this works! So thank you & happy coding! 🚀

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Central YAML (base), Repository UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 8c749b8c-b7b1-4ef1-b0fe-96298bd3cb49

📥 Commits

Reviewing files that changed from the base of the PR and between 1acc85c and c04d97e.

📒 Files selected for processing (1)

• .github/workflows/immediate-response.yml

Disabled knowledge base sources:

• Linear integration is disabled

You can enable these sources in your CodeRabbit configuration.

---

Walkthrough

All four GitHub Actions workflows receive fork-safety guards. Job-level if conditions now restrict execution to non-PR events or PRs from the same repository, preventing CI jobs from running on fork pull requests while preserving behavior for internal PRs and branch pushes.

Changes

CI Workflow Fork Safety Gating

Layer / File(s)	Summary
Fork repository safety conditions across all workflows .github/workflows/add_to_octokit_project.yml, .github/workflows/codeql.yml, .github/workflows/immediate-response.yml, .github/workflows/test.yml	All CI workflow jobs now include conditional guards that restrict execution to non-PR events or PRs originating from the same repository, using the pattern `github.event.pull_request == null

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• coderabbitai/auth-token.js#1: Makes the same job-level if changes across the same GitHub Actions workflow files to skip jobs for forked pull requests.

Poem

🐰
I hop through workflows, soft and spry,
I guard the forks, so tests run right,
Only trusted branches get the light,
CI sleeps soundly through the night.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The PR description deviates significantly from the required template, omitting critical sections like issue reference, before/after behavior details, checklist items, and breaking change notification.	Add issue reference, complete 'Before/After the change' sections with details, check the provided checkboxes, and include breaking change assessment per the template.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'Block fork pull request workflow jobs' clearly and concisely summarizes the main change: adding conditional guards to prevent GitHub Actions jobs from running on pull requests from forks.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch coderabbit/actions-lockdown-external-prs

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/immediate-response.yml:
- Line 14: The conditional filter in the if expression uses the wrong actor
string "githubactions[bot]" and therefore fails to exclude the built-in Actions
bot; update the actor check in the if expression (the compound condition that
includes github.actor != 'dependabot[bot]' && github.actor != 'renovate[bot]' &&
github.actor != 'githubactions[bot]' && github.actor != 'octokitbot') to use the
correct "github-actions[bot]" value so the built-in GitHub Actions bot is
properly excluded.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Central YAML (base), Repository UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 77fac40a-f611-4382-9e34-3293e1a768c9

📥 Commits

Reviewing files that changed from the base of the PR and between f97b06b and 1acc85c.

📒 Files selected for processing (4)

• .github/workflows/add_to_octokit_project.yml
• .github/workflows/codeql.yml
• .github/workflows/immediate-response.yml
• .github/workflows/test.yml