Skip to content

ci: prevent workflows from running on forks #8629

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
etraut-openai merged 1 commit into from
Jan 3, 2026
Merged

ci: prevent workflows from running on forks #8629

etraut-openai merged 1 commit into from
Jan 3, 2026

Conversation

@leezenn
Copy link
Contributor

@leezenn leezenn commented Dec 30, 2025

Summary

Forked repositories inherit GitHub Actions workflows including scheduled ones. This causes:

  1. Wasted Actions minutes - Scheduled workflows run on forks even though they will fail
  2. Failed runs - Workflows requiring CODEX_OPENAI_API_KEY fail immediately on forks
  3. Noise - Fork owners see failed workflow runs they didn't trigger

This PR adds if: github.repository == 'openai/codex' guards to workflows that should only run on the upstream repository.

Affected workflows

Workflow Trigger Issue
rust-release-prepare schedule: */4 hours Runs 6x/day on every fork
close-stale-contributor-prs schedule: daily Runs daily on every fork
issue-deduplicator issues: opened Requires CODEX_OPENAI_API_KEY
issue-labeler issues: opened Requires CODEX_OPENAI_API_KEY

Note

cla.yml already has this guard (github.repository_owner == 'openai'), so it was not modified.

Test plan

  • Verify workflows still run correctly on openai/codex
  • Verify workflows are skipped on forks (can check via Actions tab on any fork)

@leezenn
ci: prevent workflows from running on forks
2dab5bf 
Add repository guards to scheduled and OpenAI-specific workflows to
prevent them from running on forks where they would fail (missing
secrets) and waste Actions minutes.

Affected workflows:
- rust-release-prepare (scheduled every 4h)
- close-stale-contributor-prs (scheduled daily)
- issue-deduplicator (requires CODEX_OPENAI_API_KEY)
- issue-labeler (requires CODEX_OPENAI_API_KEY)
@github-actions
Copy link
Contributor

github-actions bot commented Dec 30, 2025
edited
Loading

All contributors have signed the CLA ✍️ ✅
Posted by the CLA Assistant Lite bot.

@leezenn
Copy link
Contributor Author

leezenn commented Dec 30, 2025

I have read the CLA Document and I hereby sign the CLA

github-actions bot added a commit that referenced this pull request Dec 30, 2025
@github-actions
@leezenn has signed the CLA in #8629
320c0c4
@leezenn
Copy link
Contributor Author

leezenn commented Dec 30, 2025

Per the contributing guidelines, noting that this is a bug fix, not a feature request.

The current behavior causes unintended side effects on forks:

  • Scheduled workflows consume fork owners' Actions minutes
  • Workflows fail due to missing secrets (CODEX_OPENAI_API_KEY)
  • Fork owners receive failure notifications for runs they didn't trigger

The cla.yml workflow already has this guard pattern (github.repository_owner == 'openai'), suggesting this was the intended behavior for fork-sensitive workflows.

@etraut-openai
Copy link
Collaborator

etraut-openai commented Dec 31, 2025

@codex review

@chatgpt-codex-connector
Copy link
Contributor

chatgpt-codex-connector bot commented Dec 31, 2025

Codex Review: Didn't find any major issues. Chef's kiss.

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

@etraut-openai
Copy link
Collaborator

etraut-openai commented Jan 3, 2026

Fork maintainers can also modify workflows if they'd prefer, but this is a sensible change. Thanks for the contribution.

@etraut-openai etraut-openai merged commit 0c1658d into openai:main Jan 3, 2026
45 of 48 checks passed
@github-actions github-actions bot locked and limited conversation to collaborators Jan 3, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@etraut-openai etraut-openai etraut-openai approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@leezenn @etraut-openai