fix: skip zizmor scan on PRs with no workflow changes (#11)

jalseth · web-flow · commit 6eac0e591000 · 2026-06-02T16:10:41.000-07:00
Fix the skipping logic for `zizmor-scan` to ensure that for all Pull Request
events (both `pull_request` and `pull_request_target`), the job is skipped if
no workflow files have changed, even if `wif_provider` is provided as an
input. Non-PR events (like `push` or `schedule`) will still run if
`wif_provider` is set.
diff --git a/.github/workflows/github_actions_scan.yml b/.github/workflows/github_actions_scan.yml
@@ -46,11 +46,13 @@ jobs:
     needs: ['check-changes']
     runs-on: 'ubuntu-latest'
     if: >-
-      inputs.wif_provider != '' ||
+      needs.check-changes.outputs.files != '' &&
       (
-        needs.check-changes.outputs.files != '' &&
-        github.event_name == 'pull_request_target' &&
-        !startsWith(github.workflow_ref, format('{0}/', github.repository))
+        inputs.wif_provider != '' ||
+        (
+          github.event_name == 'pull_request_target' &&
+          !startsWith(github.workflow_ref, format('{0}/', github.repository))
+        )
       )
     permissions:
       contents: 'read'
