diff --git a/.github/workflows/Run_RPS_AppKit-E8.yml b/.github/workflows/Run_RPS_AppKit-E8.yml index dea636c..6d3cb81 100644 --- a/.github/workflows/Run_RPS_AppKit-E8.yml +++ b/.github/workflows/Run_RPS_AppKit-E8.yml @@ -20,15 +20,51 @@ on: workflow_run: workflows: ["Build RPS for AppKit-E8 Hardware"] types: [completed] - branches: [main] + branches-ignore: ["main"] permissions: contents: read actions: read jobs: + fork-pr-blocked: + name: Block fork PRs from private runner + if: ${{ github.event_name == 'workflow_run' && github.event.workflow_run.head_repository.full_name != github.repository }} + runs-on: ubuntu-latest + permissions: + pull-requests: write + + steps: + - name: Notify runner restriction for fork PRs + run: | + echo "Workflows on the private runner are restricted for security reasons." + echo "Contributor can validate PRs using GitHub-hosted runners." + exit 1 + + - name: Comment on PR + if: ${{ github.event.workflow_run.pull_requests[0].number }} + uses: actions/github-script@v7 + with: + script: | + const pr = context.payload.workflow_run.pull_requests[0].number; + + await github.rest.issues.createComment({ + owner: context.repo.owner, + repo: context.repo.repo, + issue_number: pr, + body: [ + "⚠️ **AppKit-E8 hardware test was not run**", + "", + "This PR comes from a fork, so it is intentionally blocked from using the private runner.", + "", + "A maintainer must run the hardware workflow from the base repository if hardware validation is required." + ].join("\n") + }); CI: - if: ${{ github.event_name == 'workflow_dispatch' || (github.event.workflow_run.conclusion == 'success') }} + if: >- + ${{ github.event_name == 'workflow_dispatch' || + (github.event.workflow_run.conclusion == 'success' && + github.event.workflow_run.head_repository.full_name == github.repository) }} runs-on: [self-hosted, rsp-p5-01] steps: