Block fork pull request workflow jobs

[harjotgill]

Summary

• Skip GitHub Actions jobs for pull requests opened from forks.
• Keep push, merge queue, issue, and same-repository pull request behavior unchanged.

Why

Public fork pull requests can run attacker-controlled workflow code. Skipping those jobs prevents those pull requests from reaching repository secrets through GitHub Actions.

Validation

• Parsed the changed workflow files with yq e '.'.

Summary by CodeRabbit

• Chores
  • Updated CI/CD workflow configuration to improve review job handling for internal automation processes.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 40139b77-e8b0-4ca2-9c0a-4012115aad86

📥 Commits

Reviewing files that changed from the base of the PR and between 80e4125 and 4d8af7b.

📒 Files selected for processing (1)

• .github/workflows/openai-review.yml

📜 Recent review details

🔇 Additional comments (1)

.github/workflows/openai-review.yml (1)

21-21: Condition correctly enforces fork PR job lockdown.

Line 21’s guard cleanly skips the review job for fork-origin pull requests (including PR review-comment events) while preserving same-repository PR behavior.

---

📝 Walkthrough

Walkthrough

A single conditional guard is added to the OpenAI PR reviewer action step in the GitHub Actions workflow, restricting execution to events without an associated pull request or when the pull request originates from the same repository.

Changes

Workflow Condition Guard for OpenAI Reviewer

Layer / File(s)	Summary
OpenAI reviewer execution condition .github/workflows/openai-review.yml	An if condition guards the OpenAI reviewer step to run only when github.event.pull_request is null or the PR head repository matches the current repository, preventing execution on fork pull requests.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

A guardian clause stands at the gate,
Letting workflows through with careful fate,
No forks shall pass, no cross-repo sneak—
Just native PRs that the reviewer seeks! 🐰✨

🚥 Pre-merge checks | ✅ 4

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Block fork pull request workflow jobs' accurately describes the main change: adding conditional guards to prevent workflow jobs from running on fork pull requests.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch coderabbit/actions-lockdown-external-prs

✨ Simplify code

• Create PR with simplified code
• Commit simplified code in branch coderabbit/actions-lockdown-external-prs

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

CodeRabbit

---

Uplevel your code reviews with CodeRabbit Pro

CodeRabbit Pro

If you like this project, please support us by purchasing the Pro version. The Pro version has advanced context, superior noise reduction and several proprietary improvements compared to the open source version. Moreover, CodeRabbit Pro is free for open source projects.

[github-actions]

CodeRabbit

Commits

Files that changed from the base of the PR and between 80e4125 and 4d8af7b commits.

Files selected (1)

• .github/workflows/openai-review.yml (1)

Files not summarized due to errors (1)

• .github/workflows/openai-review.yml (nothing obtained from openai)

Files not reviewed due to errors (1)

• .github/workflows/openai-review.yml (no response)

Review comments generated (0)

• Review: 0
• LGTM: 0

---

Tips

Chat with CodeRabbit Bot (@coderabbitai)

• Reply on review comments left by this bot to ask follow-up questions. A review comment is a comment on a diff or a file.
• Invite the bot into a review comment chain by tagging @coderabbitai in a reply.

Code suggestions

• The bot may make code suggestions, but please review them carefully before committing since the line number ranges may be misaligned.
• You can edit the comment made by the bot and manually tweak the suggestion if it is slightly off.

Pausing incremental reviews

• Add @coderabbitai: ignore anywhere in the PR description to pause further reviews from the bot.