From c52fc90306990025bbf0477ffad42e87d268d88d Mon Sep 17 00:00:00 2001 From: Jonas Kvinge Date: Fri, 3 Nov 2023 22:47:25 +0100 Subject: [PATCH] CI: Don't run SSH upload or macOS codesign on forks --- .github/workflows/build.yml | 66 ++++++++++++++++++------------------- 1 file changed, 33 insertions(+), 33 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index d01542ea..0c90e734 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -143,19 +143,19 @@ jobs: /usr/src/packages/SRPMS/*.rpm /usr/src/packages/RPMS/x86_64/*.rpm - name: SSH key setup - if: github.repository == 'strawberrymusicplayer/strawberry' && (github.ref == 'refs/heads/master' || github.ref == 'refs/heads/ci') + if: github.repository == 'strawberrymusicplayer/strawberry' && github.event.pull_request.head.repo.fork == false && (github.ref == 'refs/heads/master' || github.ref == 'refs/heads/ci') uses: shimataro/ssh-key-action@v2 with: known_hosts: ${{secrets.SSH_KNOWN_HOSTS}} key: ${{ secrets.SSH_KEY }} - name: Create server path - if: github.repository == 'strawberrymusicplayer/strawberry' && (github.ref == 'refs/heads/master' || github.ref == 'refs/heads/ci') + if: github.repository == 'strawberrymusicplayer/strawberry' && github.event.pull_request.head.repo.fork == false && (github.ref == 'refs/heads/master' || github.ref == 'refs/heads/ci') run: ssh -p ${{secrets.SSH_PORT}} -o StrictHostKeyChecking=no ${{secrets.SSH_USER}}@${{secrets.SSH_HOST}} mkdir -p ${{secrets.BUILDS_PATH}}/source ${{secrets.BUILDS_PATH}}/opensuse/${{env.opensuse_subdir}} - name: rsync source - if: github.repository == 'strawberrymusicplayer/strawberry' && (github.ref == 'refs/heads/master' || github.ref == 'refs/heads/ci') && matrix.opensuse_version == 'tumbleweed' && matrix.qt_version == '6' + if: github.repository == 'strawberrymusicplayer/strawberry' && github.event.pull_request.head.repo.fork == false && (github.ref == 'refs/heads/master' || github.ref == 'refs/heads/ci') && matrix.opensuse_version == 'tumbleweed' && matrix.qt_version == '6' run: rsync -e "ssh -p ${{secrets.SSH_PORT}} -o StrictHostKeyChecking=no" -var /usr/src/packages/SOURCES/*.xz ${{secrets.SSH_USER}}@${{secrets.SSH_HOST}}:${{secrets.BUILDS_PATH}}/source/ - name: rsync rpms - if: github.repository == 'strawberrymusicplayer/strawberry' && (github.ref == 'refs/heads/master' || github.ref == 'refs/heads/ci') && matrix.opensuse_version != 'tumbleweed' + if: github.repository == 'strawberrymusicplayer/strawberry' && github.event.pull_request.head.repo.fork == false && (github.ref == 'refs/heads/master' || github.ref == 'refs/heads/ci') && matrix.opensuse_version != 'tumbleweed' run: rsync -e "ssh -p ${{secrets.SSH_PORT}} -o StrictHostKeyChecking=no" -var /usr/src/packages/SRPMS/*.rpm /usr/src/packages/RPMS/x86_64/*.rpm ${{secrets.SSH_USER}}@${{secrets.SSH_HOST}}:${{secrets.BUILDS_PATH}}/opensuse/${{env.opensuse_subdir}}/ @@ -255,16 +255,16 @@ jobs: /github/home/rpmbuild/SRPMS/*.rpm /github/home/rpmbuild/RPMS/x86_64/*.rpm - name: SSH key setup - if: github.repository == 'strawberrymusicplayer/strawberry' && (github.ref == 'refs/heads/master' || github.ref == 'refs/heads/ci') + if: github.repository == 'strawberrymusicplayer/strawberry' && github.event.pull_request.head.repo.fork == false && (github.ref == 'refs/heads/master' || github.ref == 'refs/heads/ci') uses: shimataro/ssh-key-action@v2 with: known_hosts: ${{secrets.SSH_KNOWN_HOSTS}} key: ${{ secrets.SSH_KEY }} - name: Create server path - if: github.repository == 'strawberrymusicplayer/strawberry' && (github.ref == 'refs/heads/master' || github.ref == 'refs/heads/ci') + if: github.repository == 'strawberrymusicplayer/strawberry' && github.event.pull_request.head.repo.fork == false && (github.ref == 'refs/heads/master' || github.ref == 'refs/heads/ci') run: ssh -p ${{secrets.SSH_PORT}} -o StrictHostKeyChecking=no ${{secrets.SSH_USER}}@${{secrets.SSH_HOST}} mkdir -p ${{secrets.BUILDS_PATH}}/fedora/${{matrix.fedora_version}} - name: rsync - if: github.repository == 'strawberrymusicplayer/strawberry' && (github.ref == 'refs/heads/master' || github.ref == 'refs/heads/ci') + if: github.repository == 'strawberrymusicplayer/strawberry' && github.event.pull_request.head.repo.fork == false && (github.ref == 'refs/heads/master' || github.ref == 'refs/heads/ci') run: rsync -e "ssh -p ${{secrets.SSH_PORT}} -o StrictHostKeyChecking=no" -var /github/home/rpmbuild/SRPMS/*.rpm /github/home/rpmbuild/RPMS/x86_64/*.rpm ${{secrets.SSH_USER}}@${{secrets.SSH_HOST}}:${{secrets.BUILDS_PATH}}/fedora/${{matrix.fedora_version}}/ @@ -364,16 +364,16 @@ jobs: /github/home/rpmbuild/SRPMS/*.rpm /github/home/rpmbuild/RPMS/x86_64/*.rpm - name: SSH key setup - if: github.repository == 'strawberrymusicplayer/strawberry' && matrix.openmandriva_version != 'cooker' && (github.ref == 'refs/heads/master' || github.ref == 'refs/heads/ci') + if: github.repository == 'strawberrymusicplayer/strawberry' && github.event.pull_request.head.repo.fork == false && matrix.openmandriva_version != 'cooker' && (github.ref == 'refs/heads/master' || github.ref == 'refs/heads/ci') uses: shimataro/ssh-key-action@v2 with: known_hosts: ${{secrets.SSH_KNOWN_HOSTS}} key: ${{ secrets.SSH_KEY }} - name: Create server path - if: github.repository == 'strawberrymusicplayer/strawberry' && matrix.openmandriva_version != 'cooker' && (github.ref == 'refs/heads/master' || github.ref == 'refs/heads/ci') + if: github.repository == 'strawberrymusicplayer/strawberry' && github.event.pull_request.head.repo.fork == false && matrix.openmandriva_version != 'cooker' && (github.ref == 'refs/heads/master' || github.ref == 'refs/heads/ci') run: ssh -p ${{secrets.SSH_PORT}} -o StrictHostKeyChecking=no ${{secrets.SSH_USER}}@${{secrets.SSH_HOST}} mkdir -p ${{secrets.BUILDS_PATH}}/openmandriva/${{matrix.openmandriva_version}} - name: rsync - if: github.repository == 'strawberrymusicplayer/strawberry' && matrix.openmandriva_version != 'cooker' && (github.ref == 'refs/heads/master' || github.ref == 'refs/heads/ci') + if: github.repository == 'strawberrymusicplayer/strawberry' && github.event.pull_request.head.repo.fork == false && matrix.openmandriva_version != 'cooker' && (github.ref == 'refs/heads/master' || github.ref == 'refs/heads/ci') run: rsync -e "ssh -p ${{secrets.SSH_PORT}} -o StrictHostKeyChecking=no" -var /github/home/rpmbuild/SRPMS/*.rpm /github/home/rpmbuild/RPMS/x86_64/*.rpm ${{secrets.SSH_USER}}@${{secrets.SSH_HOST}}:${{secrets.BUILDS_PATH}}/openmandriva/${{matrix.openmandriva_version}}/ @@ -466,16 +466,16 @@ jobs: /github/home/rpmbuild/SRPMS/*.rpm /github/home/rpmbuild/RPMS/x86_64/*.rpm - name: SSH key setup - if: github.repository == 'strawberrymusicplayer/strawberry' && (github.ref == 'refs/heads/master' || github.ref == 'refs/heads/ci') + if: github.repository == 'strawberrymusicplayer/strawberry' && github.event.pull_request.head.repo.fork == false && (github.ref == 'refs/heads/master' || github.ref == 'refs/heads/ci') uses: shimataro/ssh-key-action@v2 with: known_hosts: ${{secrets.SSH_KNOWN_HOSTS}} key: ${{ secrets.SSH_KEY }} - name: Create server path - if: github.repository == 'strawberrymusicplayer/strawberry' && (github.ref == 'refs/heads/master' || github.ref == 'refs/heads/ci') + if: github.repository == 'strawberrymusicplayer/strawberry' && github.event.pull_request.head.repo.fork == false && (github.ref == 'refs/heads/master' || github.ref == 'refs/heads/ci') run: ssh -p ${{secrets.SSH_PORT}} -o StrictHostKeyChecking=no ${{secrets.SSH_USER}}@${{secrets.SSH_HOST}} mkdir -p ${{secrets.BUILDS_PATH}}/mageia/${{matrix.mageia_version}} - name: rsync - if: github.repository == 'strawberrymusicplayer/strawberry' && (github.ref == 'refs/heads/master' || github.ref == 'refs/heads/ci') + if: github.repository == 'strawberrymusicplayer/strawberry' && github.event.pull_request.head.repo.fork == false && (github.ref == 'refs/heads/master' || github.ref == 'refs/heads/ci') run: rsync -e "ssh -p ${{secrets.SSH_PORT}} -o StrictHostKeyChecking=no" -var /github/home/rpmbuild/SRPMS/*.rpm /github/home/rpmbuild/RPMS/x86_64/*.rpm ${{secrets.SSH_USER}}@${{secrets.SSH_HOST}}:${{secrets.BUILDS_PATH}}/mageia/${{matrix.mageia_version}}/ @@ -562,16 +562,16 @@ jobs: name: debian-${{matrix.debian_version}} path: "*.deb" - name: SSH key setup - if: github.repository == 'strawberrymusicplayer/strawberry' && (github.ref == 'refs/heads/master' || github.ref == 'refs/heads/ci') + if: github.repository == 'strawberrymusicplayer/strawberry' && github.event.pull_request.head.repo.fork == false && (github.ref == 'refs/heads/master' || github.ref == 'refs/heads/ci') uses: shimataro/ssh-key-action@v2 with: known_hosts: ${{secrets.SSH_KNOWN_HOSTS}} key: ${{ secrets.SSH_KEY }} - name: Create server path - if: github.repository == 'strawberrymusicplayer/strawberry' && (github.ref == 'refs/heads/master' || github.ref == 'refs/heads/ci') + if: github.repository == 'strawberrymusicplayer/strawberry' && github.event.pull_request.head.repo.fork == false && (github.ref == 'refs/heads/master' || github.ref == 'refs/heads/ci') run: ssh -p ${{secrets.SSH_PORT}} -o StrictHostKeyChecking=no ${{secrets.SSH_USER}}@${{secrets.SSH_HOST}} mkdir -p ${{secrets.BUILDS_PATH}}/debian/${{matrix.debian_version}} - name: rsync - if: github.repository == 'strawberrymusicplayer/strawberry' && (github.ref == 'refs/heads/master' || github.ref == 'refs/heads/ci') + if: github.repository == 'strawberrymusicplayer/strawberry' && github.event.pull_request.head.repo.fork == false && (github.ref == 'refs/heads/master' || github.ref == 'refs/heads/ci') run: rsync -e "ssh -p ${{secrets.SSH_PORT}} -o StrictHostKeyChecking=no" -var *.deb ${{secrets.SSH_USER}}@${{secrets.SSH_HOST}}:${{secrets.BUILDS_PATH}}/debian/${{matrix.debian_version}}/ @@ -663,22 +663,22 @@ jobs: *.deb *.ddeb - name: SSH key setup - if: github.repository == 'strawberrymusicplayer/strawberry' && (github.ref == 'refs/heads/master' || github.ref == 'refs/heads/ci') + if: github.repository == 'strawberrymusicplayer/strawberry' && github.event.pull_request.head.repo.fork == false && (github.ref == 'refs/heads/master' || github.ref == 'refs/heads/ci') uses: shimataro/ssh-key-action@v2 with: known_hosts: ${{secrets.SSH_KNOWN_HOSTS}} key: ${{ secrets.SSH_KEY }} - name: Create server path - if: github.repository == 'strawberrymusicplayer/strawberry' && (github.ref == 'refs/heads/master' || github.ref == 'refs/heads/ci') + if: github.repository == 'strawberrymusicplayer/strawberry' && github.event.pull_request.head.repo.fork == false && (github.ref == 'refs/heads/master' || github.ref == 'refs/heads/ci') run: ssh -p ${{secrets.SSH_PORT}} -o StrictHostKeyChecking=no ${{secrets.SSH_USER}}@${{secrets.SSH_HOST}} mkdir -p ${{secrets.BUILDS_PATH}}/ubuntu/${{matrix.ubuntu_version}} - name: rsync - if: github.repository == 'strawberrymusicplayer/strawberry' && (github.ref == 'refs/heads/master' || github.ref == 'refs/heads/ci') + if: github.repository == 'strawberrymusicplayer/strawberry' && github.event.pull_request.head.repo.fork == false && (github.ref == 'refs/heads/master' || github.ref == 'refs/heads/ci') run: rsync -e "ssh -p ${{secrets.SSH_PORT}} -o StrictHostKeyChecking=no" -var *.deb *.ddeb ${{secrets.SSH_USER}}@${{secrets.SSH_HOST}}:${{secrets.BUILDS_PATH}}/ubuntu/${{matrix.ubuntu_version}}/ upload-ubuntu-ppa: name: Upload Ubuntu PPA - if: github.repository == 'strawberrymusicplayer/strawberry' && (github.ref == 'refs/heads/master' || github.ref == 'refs/heads/ci') + if: github.repository == 'strawberrymusicplayer/strawberry' && github.event.pull_request.head.repo.fork == false && (github.ref == 'refs/heads/master' || github.ref == 'refs/heads/ci') runs-on: ubuntu-latest strategy: fail-fast: false @@ -809,7 +809,7 @@ jobs: submodules: recursive - name: Import certificate file - if: github.repository == 'strawberrymusicplayer/strawberry' + if: github.repository == 'strawberrymusicplayer/strawberry' && github.event.pull_request.head.repo.fork == false uses: apple-actions/import-codesign-certs@v2 with: p12-file-base64: ${{ secrets.APPLE_DEVELOPER_ID_CERTIFICATE }} @@ -848,7 +848,7 @@ jobs: -DENABLE_DBUS=OFF -DICU_ROOT="${{env.prefix_path}}" -DFFTW3_DIR="${{env.prefix_path}}" - -DAPPLE_DEVELOPER_ID=$(test "${{github.repository}}" = "strawberrymusicplayer/strawberry" && echo "383J84DVB6" || echo "") + -DAPPLE_DEVELOPER_ID=$(test '${{github.repository}}' = 'strawberrymusicplayer/strawberry' && test '${{github.event.pull_request.base.repo.full_name}}' = '${{github.event.pull_request.head.repo.full_name}}' && echo "383J84DVB6" || echo "") - name: Build run: cmake --build build --config Release --parallel 4 @@ -867,7 +867,7 @@ jobs: run: make deploy - name: Codesign libsoup - if: github.repository == 'strawberrymusicplayer/strawberry' + if: github.repository == 'strawberrymusicplayer/strawberry' && github.event.pull_request.head.repo.fork == false working-directory: build run: codesign -s 383J84DVB6 -f strawberry.app/Contents/Frameworks/{libsoup-3.0.0.dylib,libnghttp2.14.dylib,libpsl.5.dylib,libpcre2-16.0.dylib,libpng16.16.dylib,libzstd.1.dylib} strawberry.app @@ -876,7 +876,7 @@ jobs: run: make deploycheck - name: Verify code-signing - if: github.repository == 'strawberrymusicplayer/strawberry' + if: github.repository == 'strawberrymusicplayer/strawberry' && github.event.pull_request.head.repo.fork == false working-directory: build run: codesign --deep -v strawberry.app @@ -885,7 +885,7 @@ jobs: run: make dmg - name: SSH key setup - if: github.repository == 'strawberrymusicplayer/strawberry' && (github.ref == 'refs/heads/master' || github.ref == 'refs/heads/ci' || github.ref == 'refs/heads/macos') + if: github.repository == 'strawberrymusicplayer/strawberry' && github.event.pull_request.head.repo.fork == false && (github.ref == 'refs/heads/master' || github.ref == 'refs/heads/ci' || github.ref == 'refs/heads/macos') uses: shimataro/ssh-key-action@v2 with: known_hosts: ${{secrets.SSH_KNOWN_HOSTS}} @@ -898,7 +898,7 @@ jobs: run: echo "release_version=$(git describe --tags --exact-match ${GITHUB_SHA} 2>/dev/null | head -1)" >> $GITHUB_ENV - name: Set Upload path - if: github.repository == 'strawberrymusicplayer/strawberry' && (github.ref == 'refs/heads/master' || github.ref == 'refs/heads/ci' || github.ref == 'refs/heads/macos') + if: github.repository == 'strawberrymusicplayer/strawberry' && github.event.pull_request.head.repo.fork == false && (github.ref == 'refs/heads/master' || github.ref == 'refs/heads/ci' || github.ref == 'refs/heads/macos') run: | if [ "${{env.is_release}}" = "1" ] && ! [ "${{env.release_version}}" = "" ]; then echo "upload_path=${{secrets.DOWNLOADS_PATH}}/stable_releases/macos" >> $GITHUB_ENV @@ -907,11 +907,11 @@ jobs: fi - name: Create server path - if: github.repository == 'strawberrymusicplayer/strawberry' && (github.ref == 'refs/heads/master' || github.ref == 'refs/heads/ci' || github.ref == 'refs/heads/macos') + if: github.repository == 'strawberrymusicplayer/strawberry' && github.event.pull_request.head.repo.fork == false && (github.ref == 'refs/heads/master' || github.ref == 'refs/heads/ci' || github.ref == 'refs/heads/macos') run: ssh -p ${{secrets.SSH_PORT}} -o StrictHostKeyChecking=no ${{secrets.SSH_USER}}@${{secrets.SSH_HOST}} mkdir -p ${{env.upload_path}} - name: rsync - if: github.repository == 'strawberrymusicplayer/strawberry' && (github.ref == 'refs/heads/master' || github.ref == 'refs/heads/ci' || github.ref == 'refs/heads/macos') + if: github.repository == 'strawberrymusicplayer/strawberry' && github.event.pull_request.head.repo.fork == false && (github.ref == 'refs/heads/master' || github.ref == 'refs/heads/ci' || github.ref == 'refs/heads/macos') run: rsync -e "ssh -p ${{secrets.SSH_PORT}} -o StrictHostKeyChecking=no" -var build/*.dmg ${{secrets.SSH_USER}}@${{secrets.SSH_HOST}}:${{env.upload_path}}/ @@ -1194,18 +1194,18 @@ jobs: path: build/StrawberrySetup*.exe - name: SSH key setup - if: github.repository == 'strawberrymusicplayer/strawberry' && (github.ref == 'refs/heads/master' || github.ref == 'refs/heads/ci') + if: github.repository == 'strawberrymusicplayer/strawberry' && github.event.pull_request.head.repo.fork == false && (github.ref == 'refs/heads/master' || github.ref == 'refs/heads/ci') uses: shimataro/ssh-key-action@v2 with: known_hosts: ${{secrets.SSH_KNOWN_HOSTS}} key: ${{ secrets.SSH_KEY }} - name: Create server path - if: github.repository == 'strawberrymusicplayer/strawberry' && (github.ref == 'refs/heads/master' || github.ref == 'refs/heads/ci') + if: github.repository == 'strawberrymusicplayer/strawberry' && github.event.pull_request.head.repo.fork == false && (github.ref == 'refs/heads/master' || github.ref == 'refs/heads/ci') run: ssh -p ${{secrets.SSH_PORT}} -o StrictHostKeyChecking=no ${{secrets.SSH_USER}}@${{secrets.SSH_HOST}} mkdir -p ${{secrets.BUILDS_PATH}}/windows/mingw - name: rsync - if: github.repository == 'strawberrymusicplayer/strawberry' && (github.ref == 'refs/heads/master' || github.ref == 'refs/heads/ci') + if: github.repository == 'strawberrymusicplayer/strawberry' && github.event.pull_request.head.repo.fork == false && (github.ref == 'refs/heads/master' || github.ref == 'refs/heads/ci') run: rsync -e "ssh -p ${{secrets.SSH_PORT}} -o StrictHostKeyChecking=no" -var build/StrawberrySetup*.exe ${{secrets.SSH_USER}}@${{secrets.SSH_HOST}}:${{secrets.BUILDS_PATH}}/windows/mingw/ @@ -1556,7 +1556,7 @@ jobs: rsync-windows-msvc-builds: name: Rsync Windows MSVC builds - if: github.repository == 'strawberrymusicplayer/strawberry' && (github.ref == 'refs/heads/master' || github.ref == 'refs/heads/ci') + if: github.repository == 'strawberrymusicplayer/strawberry' && github.event.pull_request.head.repo.fork == false && (github.ref == 'refs/heads/master' || github.ref == 'refs/heads/ci') runs-on: ubuntu-latest needs: - build-windows-msvc @@ -1585,7 +1585,7 @@ jobs: upload-release: name: Upload release - if: github.repository == 'strawberrymusicplayer/strawberry' && (github.ref == 'refs/heads/master' || github.ref == 'refs/heads/ci') + if: github.repository == 'strawberrymusicplayer/strawberry' && github.event.pull_request.head.repo.fork == false && (github.ref == 'refs/heads/master' || github.ref == 'refs/heads/ci') runs-on: ubuntu-latest needs: - build-opensuse