Fix pipeline to not fail on PRs from forked repos

.github/workflows/ci-reporting-app-openapi.yml

@@ -23,11 +23,18 @@ concurrency:
 jobs:
   update-openapi-docs:
     runs-on: ubuntu-latest
+    env:
+      # Pass through env so shell steps are not script-injection vectors (github.head_ref in run:)
+      HEAD_REF: ${{ github.head_ref }}
     steps:
       - uses: actions/checkout@v4
         with:
-          # Checkout the feature branch associated with the pull request
-          ref: ${{ github.head_ref }}
+          # Use PR head SHA so fork PRs work (branch name from head_ref may not exist on upstream)
+          ref: ${{ github.event.pull_request.head.sha }}
+
+      # Detached HEAD at SHA breaks `git push`; recreate the PR branch name at this commit for same-repo PRs
+      - name: Match branch for git push
+        run: git checkout -B "$HEAD_REF"
 
       - name: Update OpenAPI spec
         run: make .env openapi-spec
@@ -45,4 +52,5 @@ jobs:
             --ignore-matching-lines='ref": .*\/[0-9a-z]{32}"$' \
             --ignore-matching-lines='[ "'\'']+[0-9a-z]{32}["'\'']*:' \
             || git commit -m "Update OpenAPI spec"
-          git push
+          # No upstream after checkout -B; push explicitly (same as push -u origin <branch>)
+          git push origin "HEAD:refs/heads/${HEAD_REF}"

.github/workflows/ci-reporting-app-pr-environment-checks.yml

@@ -11,12 +11,25 @@ on:
   pull_request:
 
 jobs:
+  # Fork PRs cannot use id-token/OIDC to AWS; running build + PR env + e2e would always fail.
+  # Same-repo PR: head branch lives in this repo (matches `gh api repos/.../pulls/N` head.repo.full_name vs base).
   update:
     name: " " # GitHub UI is noisy when calling reusable workflows, so use whitespace for name to reduce noise
     uses: ./.github/workflows/pr-environment-checks.yml
-    if: github.event_name == 'workflow_dispatch' || github.event.pull_request.state == 'open'
+    if: github.event_name == 'workflow_dispatch' || (github.event_name == 'pull_request' && github.event.pull_request.state == 'open' && github.event.pull_request.head.repo.full_name == github.repository)
     with:
       app_name: "reporting-app"
       environment: "dev"
       pr_number: ${{ inputs.pr_number || github.event.number }}
       commit_hash: ${{ inputs.commit_hash || github.event.pull_request.head.sha }}
+
+  # Keeps fork PR workflow runs successful with an explicit notice (avoids red e2e/AWS failures).
+  fork-pr-skip-notice:
+    name: PR environment / E2E skipped (fork PR)
+    if: github.event_name == 'pull_request' && github.event.pull_request.state == 'open' && github.event.pull_request.head.repo.full_name != github.repository
+    runs-on: ubuntu-latest
+    steps:
+      - name: Explain skip
+        run: |
+          echo "::notice::PR environment update and E2E are skipped for fork PRs (GitHub does not grant OIDC/AWS credentials to workflows from forks)."
+          echo "Validate after merge to the default branch, or push a branch on the upstream repo for a full run."