From 9cef88187040d649cb0012ed2fbba9bb84b4ed6e Mon Sep 17 00:00:00 2001
From: ltagliaferri <lisa.tagliaferri@gmail.com>
Date: Wed, 4 Mar 2026 08:41:16 -0500
Subject: [PATCH] Disable workflow jobs in forks

Add repository condition to all workflow jobs so they are skipped
when run from a fork, preventing unintended deploys, releases, GCS
uploads, and secret access in forked repositories.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .github/workflows/compile-ai-docs-from-gcs.yaml | 1 +
 .github/workflows/compile-docs-on-webhook.yml   | 1 +
 .github/workflows/compile-docs.yml              | 1 +
 .github/workflows/compile-public-docs.yml       | 1 +
 .github/workflows/export-edu-docs-to-gcs.yaml   | 1 +
 5 files changed, 5 insertions(+)

diff --git a/.github/workflows/compile-ai-docs-from-gcs.yaml b/.github/workflows/compile-ai-docs-from-gcs.yaml
index 8503e55e6d..1d2e3852f6 100644
--- a/.github/workflows/compile-ai-docs-from-gcs.yaml
+++ b/.github/workflows/compile-ai-docs-from-gcs.yaml
@@ -25,6 +25,7 @@ permissions:
   
 jobs:
   compile-docs:
+    if: github.repository == 'chainguard-dev/edu'
     runs-on: ubuntu-latest
     environment: documentation
     
diff --git a/.github/workflows/compile-docs-on-webhook.yml b/.github/workflows/compile-docs-on-webhook.yml
index 9fe5674cb0..6973018962 100644
--- a/.github/workflows/compile-docs-on-webhook.yml
+++ b/.github/workflows/compile-docs-on-webhook.yml
@@ -15,6 +15,7 @@ permissions:
 
 jobs:
   compile-docs:
+    if: github.repository == 'chainguard-dev/edu'
     runs-on: ubuntu-latest
     environment: documentation  # Use environment protection rules
     
diff --git a/.github/workflows/compile-docs.yml b/.github/workflows/compile-docs.yml
index b297106877..8f00cc8faf 100644
--- a/.github/workflows/compile-docs.yml
+++ b/.github/workflows/compile-docs.yml
@@ -27,6 +27,7 @@ permissions:
   
 jobs:
   compile-docs:
+    if: github.repository == 'chainguard-dev/edu'
     runs-on: ubuntu-latest
     environment: documentation  # Use environment protection rules
     
diff --git a/.github/workflows/compile-public-docs.yml b/.github/workflows/compile-public-docs.yml
index 6732d98afb..60ead5ffbe 100644
--- a/.github/workflows/compile-public-docs.yml
+++ b/.github/workflows/compile-public-docs.yml
@@ -30,6 +30,7 @@ permissions:
   
 jobs:
   compile-and-release:
+    if: github.repository == 'chainguard-dev/edu'
     runs-on: ubuntu-latest
     
     steps:
diff --git a/.github/workflows/export-edu-docs-to-gcs.yaml b/.github/workflows/export-edu-docs-to-gcs.yaml
index b225558e19..a7da3416f8 100644
--- a/.github/workflows/export-edu-docs-to-gcs.yaml
+++ b/.github/workflows/export-edu-docs-to-gcs.yaml
@@ -20,6 +20,7 @@ permissions:
 
 jobs:
   export-docs:
+    if: github.repository == 'chainguard-dev/edu'
     runs-on: ubuntu-latest
     
     steps: