Skip to content

ci: skip release/publish/changelog automation on forks#5756

Merged
leaanthony merged 1 commit into
masterfrom
ci/guard-fork-workflow-runs
Jul 6, 2026
Merged

ci: skip release/publish/changelog automation on forks#5756
leaanthony merged 1 commit into
masterfrom
ci/guard-fork-workflow-runs

Conversation

@taliesin-ai

@taliesin-ai taliesin-ai commented Jul 6, 2026

Copy link
Copy Markdown
Collaborator

Why

nightly-release-v3.yml, publish-npm.yml, auto-changelog-v3.yml and changelog-v3.yml have no repository guard, so any fork with Actions enabled runs them against its own default branch.

This is actively biting #5462: the PR head is the author's fork master, and the fork's Actions keep committing straight into the open PR — a nightly-minted v3.0.0-alpha2.114 release bump that collides with the real one, @wailsio/runtime version bumps, and 90+ regenerated typedoc files whose source links point at the fork instead of wailsapp/wails.

What

Add the same job-level guard the repo already uses in weekly-release-v2.yml and generate-sponsor-image.yml:

if: github.repository == 'wailsapp/wails'

composed with the existing conditions where a job already had an if. For pull_request/pull_request_target events github.repository is the base repo, so fork-authored PRs against upstream still run these normally — only runs inside a fork are skipped.

Because push-triggered runs use the workflow file at the pushed commit and cron runs use the fork's default-branch copy, merging this and then updating #5462's branch from master disarms the fork automation without needing any settings change on the fork.

Summary by CodeRabbit

  • Chores
    • Tightened automation checks so release, changelog, and publishing jobs run only in the intended repository.
    • Improved control over when manual and merged-PR workflows trigger, reducing accidental execution in other contexts.

nightly-release-v3, publish-npm, auto-changelog-v3 and changelog-v3 had no
repository guard, so any fork with Actions enabled runs them against its own
default branch. On a fork whose master is a PR head (#5462) this keeps
committing fork-generated release bumps, npm version bumps and typedoc output
(with fork source links) straight into the open PR. Guard the jobs with
github.repository == 'wailsapp/wails', matching weekly-release-v2 and
generate-sponsor-image.
@coderabbitai

coderabbitai Bot commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 1339a6fb-986d-4225-81b2-42012eecc20a

📥 Commits

Reviewing files that changed from the base of the PR and between 1961c27 and 04dbf7d.

📒 Files selected for processing (4)
  • .github/workflows/auto-changelog-v3.yml
  • .github/workflows/changelog-v3.yml
  • .github/workflows/nightly-release-v3.yml
  • .github/workflows/publish-npm.yml

Walkthrough

Four GitHub Actions workflow files (auto-changelog-v3.yml, changelog-v3.yml, nightly-release-v3.yml, publish-npm.yml) have job-level if conditions added or extended to require github.repository == 'wailsapp/wails', preventing these jobs from executing on forked or other repositories.

Changes

CI Workflow Repository Gating

Layer / File(s) Summary
Changelog workflow gates
.github/workflows/auto-changelog-v3.yml, .github/workflows/changelog-v3.yml
Adds a github.repository == 'wailsapp/wails' requirement to the auto-changelog job condition and adds a job-level if to the validate job.
Release and publish workflow gates
.github/workflows/nightly-release-v3.yml, .github/workflows/publish-npm.yml
Adds a repository-check condition to the nightly-release job and extends the detect and rebuild_and_publish job conditions in publish-npm.yml with the same repository gate.

Estimated code review effort: 1 (Trivial) | ~5 minutes

Possibly related PRs

  • wailsapp/wails#5281: Both PRs affect nightly-release-v3.yml execution triggering/gating logic.
  • wailsapp/wails#5282: Both PRs modify auto-changelog-v3.yml to gate execution to the wailsapp/wails repository.
  • wailsapp/wails#5286: Both PRs modify when the nightly-release job runs in nightly-release-v3.yml.

Suggested labels: reviewed ✅

Suggested reviewers: leaanthony

Poem

A rabbit checks the repo's name before it starts to hop,
No forked-off fields shall trigger jobs, from top to bottom stop.
Four workflows now stand guarded, with a gate so neat and small,
"wailsapp/wails only!" — that's the rule that governs all. 🐇✨

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch ci/guard-fork-workflow-runs

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@leaanthony leaanthony merged commit a84a490 into master Jul 6, 2026
29 of 31 checks passed
@leaanthony leaanthony deleted the ci/guard-fork-workflow-runs branch July 6, 2026 00:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants