Restrict release-plz workflow to upstream repository (avoid forks) #1515
Description
Summary
The Release Please workflow currently runs in forks of this repository.
This causes unnecessary release runs and potential confusion for contributors who fork Topgrade.
Steps to Reproduce
- Fork the
topgrade-rs/topgraderepository. - Push a commit to the fork.
- Observe that the Release Please workflow executes in the fork.
Expected Behavior
Release Please should only run in the upstream topgrade-rs/topgrade repository, not in forks.
Actual Behavior
The current .github/workflows/release-plz.yml file does not restrict execution to the upstream repository.
As a result, Release Please runs in forks, attempting to create releases or tags where they are not needed.
Security Considerations
- Forks may accidentally publish releases or tags.
- Workflows in forks could expose secrets if contributors configure them.
- Running release workflows in forks increases supply chain risk.
Suggested Solution
Add a repository guard in the workflow to ensure Release Please only runs in the upstream repository:
jobs:
release-plz-release:
if: github.repository == 'topgrade-rs/topgrade'
...
release-plz-pr:
if: github.repository == 'topgrade-rs/topgrade'
...This ensures Release Please only runs in the intended upstream repository.