Skip to content

ci/workflows: disable github workflows on forks #38791

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
May 6, 2025
Merged

ci/workflows: disable github workflows on forks #38791

merged 1 commit into from
May 6, 2025

Conversation

ishuar
Copy link
Contributor

@ishuar ishuar commented Apr 7, 2025
edited by aanm
Loading 

Disable GitHub workflows on forks

Disable GitHub Workflows on Forks by Default

Problem Statement

Currently, GitHub workflows are triggered on forked repositories, resulting in:

  • Unnecessary workflow runs on forks.
  • Unwanted GitHub email notifications for fork owners.

While GitHub provides an option to completely or selectively disable Actions on forks, this approach is restrictive and prevents users from using workflows on their forks for legitimate use cases.

Proposed Solution (Explicit Deny over Allow All)

This PR proposes changes to the GitHub workflows to explicitly configure them to run only when the project owner is cilium. By adding this condition, workflows will:

Run only on the cilium/cilium repository by default.
Prevent triggering workflows on forks, saving unnecessary usage and avoiding email spam.
If a fork owner wishes to run workflows, they can still modify the workflow configurations on their fork as needed.

Benefits

  • Reduces unnecessary workflow run usage.
  • Prevents unwanted email notifications for fork owners.
  • Provides a better default behavior while still allowing flexibility for fork owners.

Additional Context

Attached below are screenshots of the email notifications and workflow runs triggered on my fork to illustrate the problem being addressed by this PR.

Screenshot 2025-04-07 at 21 06 15

Screenshot 2025-04-07 at 21 07 19

@maintainer-s-little-helper

This comment was marked as resolved.

Sign in to view
@maintainer-s-little-helper maintainer-s-little-helper bot added dont-merge/needs-sign-off The author needs to add signoff to their commits before merge. dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. labels Apr 7, 2025
@github-actions github-actions bot added the kind/community-contribution This was a contribution made by a community member. label Apr 7, 2025
@ishuar ishuar force-pushed the avoid-workflows-on-forks branch from 26b4660 to c258cf3 Compare April 7, 2025 19:30
@maintainer-s-little-helper maintainer-s-little-helper bot removed the dont-merge/needs-sign-off The author needs to add signoff to their commits before merge. label Apr 7, 2025
@ishuar ishuar force-pushed the avoid-workflows-on-forks branch 2 times, most recently from 8f12dd4 to 6708f02 Compare April 7, 2025 19:36
@ishuar ishuar marked this pull request as ready for review April 7, 2025 19:50
@ishuar ishuar requested review from a team as code owners April 7, 2025 19:50
@ishuar
Copy link
Contributor Author

ishuar commented Apr 8, 2025

With Allow <Fork-owner> actions and reusable workflows configurations.

Screenshot 2025-04-08 at 18 04 13

Screenshot 2025-04-08 at 18 06 44

thorn3r
thorn3r reviewed Apr 9, 2025
View reviewed changes
Copy link
Contributor

@thorn3r thorn3r left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I like the idea and intent behind this change, but I wonder if there's a more robust way to enforce it (maybe Ariane or some clever reusable action). This might work fine for now, but it seems likely it will get missed/forgotten on some future workflow or the addition of a new job.

@ishuar
Copy link
Contributor Author

ishuar commented Apr 10, 2025

@thorn3r Thank you for your input.

it seems likely it will get missed/forgotten on some future workflow or the addition of a new job.

I can understand and somewhat agree that this might be overlooked, and there could be another smarter way to do it and fully open to it.

However, for now, do you think we could adjust the workflows as a quick win?

joestringer
joestringer reviewed Apr 21, 2025
View reviewed changes
@joestringer joestringer added the release-note/ci This PR makes changes to the CI. label Apr 21, 2025
@maintainer-s-little-helper maintainer-s-little-helper bot removed the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Apr 21, 2025
@aanm aanm self-requested a review April 29, 2025 07:46
@ishuar ishuar force-pushed the avoid-workflows-on-forks branch 2 times, most recently from 5a465d9 to d055295 Compare May 5, 2025 17:16
@ishuar
ci/workflows: disable github workflows on forks using GH variable kil…
914064b 
…l switch

Signed-off-by: ishuar <ishansharma887@gmail.com>
@ishuar ishuar force-pushed the avoid-workflows-on-forks branch from d055295 to 914064b Compare May 5, 2025 17:18
ishuar
ishuar commented May 5, 2025
View reviewed changes
@aanm aanm enabled auto-merge May 6, 2025 08:48
@aanm
Copy link
Member

aanm commented May 6, 2025

/test

@aanm aanm added this pull request to the merge queue May 6, 2025
Merged via the queue into cilium:main with commit a4b295c May 6, 2025
61 checks passed
@ishuar ishuar deleted the avoid-workflows-on-forks branch May 6, 2025 13:43
@joestringer
Copy link
Member

Thanks for the improvement @ishuar 🙏

@giorio94 giorio94 mentioned this pull request May 14, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@joestringer joestringer joestringer left review comments

@thorn3r thorn3r thorn3r left review comments

@aanm aanm aanm approved these changes

@sayboras sayboras Awaiting requested review from sayboras sayboras is a code owner automatically assigned from cilium/sig-servicemesh

@brlbil brlbil Awaiting requested review from brlbil brlbil is a code owner automatically assigned from cilium/github-sec

@liyihuang liyihuang Awaiting requested review from liyihuang liyihuang is a code owner automatically assigned from cilium/aws

@pchaigno pchaigno Awaiting requested review from pchaigno pchaigno is a code owner automatically assigned from cilium/ipsec

@wedaly wedaly Awaiting requested review from wedaly wedaly is a code owner automatically assigned from cilium/azure

@glrf glrf Awaiting requested review from glrf glrf is a code owner automatically assigned from cilium/sig-hubble

@tommyp1ckles tommyp1ckles Awaiting requested review from tommyp1ckles tommyp1ckles is a code owner automatically assigned from cilium/cli

Assignees
No one assigned
Labels
kind/community-contribution This was a contribution made by a community member. release-note/ci This PR makes changes to the CI.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@ishuar @aanm @joestringer @thorn3r