Tighten security checks for fork workflows #1924

	name: CI
	on:
	push:
	branches:
	- "main"
	pull_request:

	permissions: {}

	jobs:
	license-headers:
	name: Check licenses headers
	runs-on: ubuntu-latest
	steps:
	- name: Checkout sources
	uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
	with:
	persist-credentials: false

	- uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
	with:
	node-version: 24

	- name: Check License Header (Check Mode)
	uses: apache/skywalking-eyes/header@5c5b974209f0de5d905f37deb69369068ebfc15c # v0.7.0
	with:
	config: .github/config/.licenserc.yaml

	build:
	runs-on: ubuntu-latest
	if: github.event.pull_request.head.repo.fork == false
	steps:
	- name: Checkout sources
	uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
	with:
	persist-credentials: false

	- uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
	with:
	node-version: 24

	- name: Build
	run: \|
	npm ci
	npm run build:all
	npm run licenses-check
	npm run lint
	npm run test:coverage

	- name: SonarCloud Scan
	uses: SonarSource/sonarqube-scan-action@1a6d90ebcb0e6a6b1d87e37ba693fe453195ae25 #v5.3.1
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}

Provide feedback