amimas · amimas · Jun 7, 2026 · Jun 7, 2026 · Jun 7, 2026
@@ -20,11 +20,11 @@
        with:
          ref: ${{ inputs.BRANCH_REF }}
          fetch-depth: 2
      - name: Configure uv environment
        uses: ./.github/actions/setup-uv-local
        with:
          python-version: "3.14"
      - name: Install dependencies
        run: uv sync --frozen --no-dev --group release
      - name: Build and verify the package
        run: |
@@ -45,11 +45,11 @@
        with:
          ref: ${{ inputs.BRANCH_REF }}
          fetch-depth: 2
      - name: Configure uv environment
        uses: ./.github/actions/setup-uv-local
        with:
          python-version: "3.14"
      - name: Install dependencies
        run: uv sync --frozen --no-dev --group docs
      - name: Build documentation
        run: uv run --no-sync docs build
@@ -60,7 +60,7 @@
           path: site
 
   smoke-tests:
-    name: "Smoke (${{ matrix.os == 'ubuntu-latest' && 'Linux' || matrix.os == 'macos-latest' && 'macOS' || 'Windows' }}, ${{ matrix.python-version }})"
+    name: "Smoke test - (${{ matrix.os == 'ubuntu-latest' && 'Linux' || matrix.os == 'macos-latest' && 'macOS' || 'Windows' }}, ${{ matrix.python-version }})"
     strategy:
       fail-fast: false
       matrix:
@@ -74,11 +74,11 @@
        with:
          ref: ${{ inputs.BRANCH_REF }}
          fetch-depth: 2
      - name: Configure uv environment
        uses: ./.github/actions/setup-uv-local
        with:
          python-version: ${{ matrix.python-version }}
      - name: Install dependencies
        run: uv sync --frozen --no-dev --group test
      - name: Run smoke tests
        run: uv run --no-sync gitlabform -V
@@ -0,0 +1,34 @@
+name: "CI - Fork PRs"
+
+# This workflow handles pull requests from forked repositories.
+# It uses pull_request_target so the reusable CI workflow can receive explicit secrets.
+
+permissions:
+  actions: read
+  contents: read
+  pull-requests: write
+  security-events: write
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
+  cancel-in-progress: true
+
+on:
+  pull_request_target:
+    branches:
+      - main
+
+jobs:
+  pr_jobs:
+    name: "Pipeline"
+    # github.event.pull_request object defined here: https://docs.github.com/en/rest/pulls/pulls?apiVersion=2026-03-10#get-a-pull-request
+    if: ${{ github.event.pull_request.head.repo.full_name != github.repository }}
+    uses: ./.github/workflows/pr-ci-workflow.yml
+    permissions:
+      actions: read
+      contents: read
+      packages: read
+      pull-requests: write
+      security-events: write
+    with:
+      BRANCH_REF: ${{ github.event.pull_request.head.sha }}
+    secrets: inherit
@@ -0,0 +1,34 @@
+name: "CI - PRs"
+
+# This workflow is the entrypoint for pull requests opened from host repository.
+# Fork PRs are handled by prs-entrypoint-forks.yml using pull_request_target.
+# It forwards the branch SHA and explicit secrets to the reusable workflow.
+
+permissions:
+  actions: read
+  contents: read
+  pull-requests: write
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
+  cancel-in-progress: true
+
+on:
+  pull_request:
+    branches:
+      - main
+
+jobs:
+  pr_jobs:
+    name: "Pipeline"
+    # github.event.pull_request object defined here: https://docs.github.com/en/rest/pulls/pulls?apiVersion=2026-03-10#get-a-pull-request
+    if: ${{ github.event.pull_request.head.repo.full_name == github.repository }}
+    uses: ./.github/workflows/pr-ci-workflow.yml
+    permissions:
+      actions: read
+      contents: read
+      packages: read
+      pull-requests: write
+      security-events: write
+    with:
+      BRANCH_REF: ${{ github.event.pull_request.head.sha }}
+    secrets: inherit