Skip to content

ci(workflows): restrict release workflows to upstream repo#2432

Open
ttw225 wants to merge 1 commit into
Canner:mainfrom
ttw225:ci/restrict-release-workflows-to-upstream
Open

ci(workflows): restrict release workflows to upstream repo#2432
ttw225 wants to merge 1 commit into
Canner:mainfrom
ttw225:ci/restrict-release-workflows-to-upstream

Conversation

@ttw225

@ttw225 ttw225 commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Clicking Sync fork on a fork of Canner/WrenAI to pull in upstream main updates fires a push event on the fork's main, which triggers Release Please and Sync Docs to Website — both fail because neither workflow checks github.repository before running.
  • Failing run evidence (from my fork):
  • Fix: add if: ${{ github.repository == 'Canner/WrenAI' }} to the entry job of release-please.yml, sync-docs.yml, and rc-release.yml.
  • The six publish-*.yml workflows are workflow_call-only and already cascade-skip via needs: release-please / needs: create-rc, so they don't need a separate guard.
  • Test CI (wren-ci, core-py-ci, rust, wasm-ci, sdk-*-ci) is untouched — it should keep running on forks for contributor PR validation.
  • Same guard pattern as commitizen-tools/commitizen#1889, which I did for the same fork/CI issue there.

Test plan

  • actionlint on the three changed files — no new findings
  • Confirmed against the fork's actual run history — see links above
  • After merge: confirm release-please still runs normally on Canner/WrenAI
  • After merge: confirm a fork push to main shows release-please/sync-docs as Skipped, not Failure

Summary by CodeRabbit

  • Chores
    • Restricted release and documentation automation to run only in the primary repository, reducing unintended runs in other copies or forks.
    • Release-related jobs now execute more selectively, which helps prevent accidental publishing or sync actions outside the intended project.

release-please and sync-docs run unconditionally on forks and fail there (fork GITHUB_TOKEN can't open PRs, CROSS_REPO_TOKEN doesn't exist). Guard release-please, sync-docs, and rc-release on github.repository == 'Canner/WrenAI'.
@github-actions github-actions Bot added the ci label Jul 4, 2026
@coderabbitai

coderabbitai Bot commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: e950b706-008b-41ea-90aa-211f74a6ed28

📥 Commits

Reviewing files that changed from the base of the PR and between 5ff51e4 and 6bccd3a.

📒 Files selected for processing (3)
  • .github/workflows/rc-release.yml
  • .github/workflows/release-please.yml
  • .github/workflows/sync-docs.yml

Walkthrough

This PR adds a job-level if condition to three GitHub Actions workflows (rc-release, release-please, sync-docs) restricting their execution to runs where github.repository equals Canner/WrenAI.

Changes

Repository Guard Conditions

Layer / File(s) Summary
Add repository guard to release-please job
.github/workflows/release-please.yml
Adds if: ${{ github.repository == 'Canner/WrenAI' }} to the release-please job, gating downstream publishing jobs.
Add repository guard to rc-release job
.github/workflows/rc-release.yml
Adds a job-level conditional guard restricting create-rc execution to the canonical repository.
Add repository guard to sync-docs job
.github/workflows/sync-docs.yml
Adds a job-level conditional guard restricting sync-docs execution to the canonical repository.

Estimated code review effort: 1 (Trivial) | ~2 minutes

Possibly related PRs

  • Canner/WrenAI#2216: Introduced the same release/CI workflow set now refined with these repository guard conditions.

Suggested reviewers: goldmedal

Poem

Three workflows guarded, one repo true,
No forks shall trigger the release brew,
A rabbit checks the name with care,
"Canner/WrenAI" — yes, we're there! 🐇
Hop, build, ship — all fair and square.

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly summarizes the main change: restricting release-related workflows to the upstream repository.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant