From 554de2eb1a5fc31e75c1a206e58a18ff779a2f2a Mon Sep 17 00:00:00 2001
From: Cursor Agent <cursoragent@cursor.com>
Date: Sun, 31 Aug 2025 11:50:00 +0000
Subject: [PATCH] ci: restrict image publish/deploy to canonical repo and main
 branch

- Add repo guard to publish and release workflows
- Ensure deploy workflow only runs in canonical repo
- Align with #69 to prevent publishing from forks/PRs
---
 .github/workflows/deploy-kubernetes.yml     | 1 +
 .github/workflows/publish-api-server.yml    | 2 ++
 .github/workflows/publish-dashboard.yml     | 1 +
 .github/workflows/publish-landing-page.yml  | 2 ++
 .github/workflows/publish-python-sdk.yml    | 1 +
 .github/workflows/publish-state-mangaer.yml | 1 +
 .github/workflows/release-dashboard.yml     | 1 +
 .github/workflows/release-python-sdk.yml    | 1 +
 .github/workflows/release-state-manager.yml | 1 +
 9 files changed, 11 insertions(+)

diff --git a/.github/workflows/deploy-kubernetes.yml b/.github/workflows/deploy-kubernetes.yml
index 81ded841..97ff74d0 100644
--- a/.github/workflows/deploy-kubernetes.yml
+++ b/.github/workflows/deploy-kubernetes.yml
@@ -6,6 +6,7 @@ on:
 jobs:  
   deploy-api-server:
     runs-on: ubuntu-latest
+    if: github.repository == 'exospherehost/exospherehost'
     environment:
       name: deploy-kubernetes
     steps:
diff --git a/.github/workflows/publish-api-server.yml b/.github/workflows/publish-api-server.yml
index 5dc9c01f..b2c260fa 100644
--- a/.github/workflows/publish-api-server.yml
+++ b/.github/workflows/publish-api-server.yml
@@ -17,6 +17,7 @@ env:
 jobs:
   publish-image:
     runs-on: ubuntu-latest
+    if: github.repository == 'exospherehost/exospherehost'
 
     permissions:
       contents: read
@@ -58,6 +59,7 @@ jobs:
   deploy-to-k8s:
     needs: publish-image
     runs-on: ubuntu-latest
+    if: github.repository == 'exospherehost/exospherehost'
 
     steps:
       - name: Deploy to K8s
diff --git a/.github/workflows/publish-dashboard.yml b/.github/workflows/publish-dashboard.yml
index ec45c180..3b4bde15 100644
--- a/.github/workflows/publish-dashboard.yml
+++ b/.github/workflows/publish-dashboard.yml
@@ -17,6 +17,7 @@ env:
 jobs:
   publish-image:
     runs-on: ubuntu-latest
+    if: github.repository == 'exospherehost/exospherehost'
 
     permissions:
       contents: read
diff --git a/.github/workflows/publish-landing-page.yml b/.github/workflows/publish-landing-page.yml
index 0e0e7fe8..38315115 100644
--- a/.github/workflows/publish-landing-page.yml
+++ b/.github/workflows/publish-landing-page.yml
@@ -17,6 +17,7 @@ env:
 jobs:
   publish-image:
     runs-on: ubuntu-latest
+    if: github.repository == 'exospherehost/exospherehost'
 
     permissions:
       contents: read
@@ -59,6 +60,7 @@ jobs:
   deploy-to-k8s:
     needs: publish-image
     runs-on: ubuntu-latest
+    if: github.repository == 'exospherehost/exospherehost'
     steps:
       - name: Deploy to K8s
         run: |
diff --git a/.github/workflows/publish-python-sdk.yml b/.github/workflows/publish-python-sdk.yml
index 73f8caf3..ea08fe12 100644
--- a/.github/workflows/publish-python-sdk.yml
+++ b/.github/workflows/publish-python-sdk.yml
@@ -66,6 +66,7 @@ jobs:
     defaults:
       run:
         working-directory: python-sdk
+    if: github.repository == 'exospherehost/exospherehost'
 
     steps:
       - uses: actions/checkout@v4
diff --git a/.github/workflows/publish-state-mangaer.yml b/.github/workflows/publish-state-mangaer.yml
index b3926336..6bb4443f 100644
--- a/.github/workflows/publish-state-mangaer.yml
+++ b/.github/workflows/publish-state-mangaer.yml
@@ -74,6 +74,7 @@ jobs:
   publish-image:
     runs-on: ubuntu-latest
     needs: test
+    if: github.repository == 'exospherehost/exospherehost'
 
     permissions:
       contents: read
diff --git a/.github/workflows/release-dashboard.yml b/.github/workflows/release-dashboard.yml
index f6d190b3..79626992 100644
--- a/.github/workflows/release-dashboard.yml
+++ b/.github/workflows/release-dashboard.yml
@@ -12,6 +12,7 @@ env:
 jobs:
   publish-image:
     runs-on: ubuntu-latest
+    if: github.repository == 'exospherehost/exospherehost'
 
     permissions:
       contents: read
diff --git a/.github/workflows/release-python-sdk.yml b/.github/workflows/release-python-sdk.yml
index aa5366ac..b62061cc 100644
--- a/.github/workflows/release-python-sdk.yml
+++ b/.github/workflows/release-python-sdk.yml
@@ -62,6 +62,7 @@ jobs:
     defaults:
       run:
         working-directory: python-sdk
+    if: github.repository == 'exospherehost/exospherehost'
 
     steps:
       - uses: actions/checkout@v4
diff --git a/.github/workflows/release-state-manager.yml b/.github/workflows/release-state-manager.yml
index da4d61fb..84498393 100644
--- a/.github/workflows/release-state-manager.yml
+++ b/.github/workflows/release-state-manager.yml
@@ -67,6 +67,7 @@ jobs:
   publish-image:
     runs-on: ubuntu-latest
     needs: test
+    if: github.repository == 'exospherehost/exospherehost'
 
     permissions:
       contents: read