From 60f03984151cdf130a93526cbbf325d6d8840d64 Mon Sep 17 00:00:00 2001 From: Sourabh Mehta <73165318+soumeh01@users.noreply.github.com> Date: Thu, 25 Jun 2026 13:07:21 +0200 Subject: [PATCH 1/3] Add fork PR blocking for private runner in workflow --- .github/workflows/Run_RPS_AppKit-E8.yml | 39 +++++++++++++++++++++++-- 1 file changed, 37 insertions(+), 2 deletions(-) diff --git a/.github/workflows/Run_RPS_AppKit-E8.yml b/.github/workflows/Run_RPS_AppKit-E8.yml index dea636c..c0146ec 100644 --- a/.github/workflows/Run_RPS_AppKit-E8.yml +++ b/.github/workflows/Run_RPS_AppKit-E8.yml @@ -20,15 +20,50 @@ on: workflow_run: workflows: ["Build RPS for AppKit-E8 Hardware"] types: [completed] - branches: [main] permissions: contents: read actions: read jobs: + fork-pr-blocked: + name: Block fork PRs from private runner + if: ${{ github.event_name == 'workflow_run' && github.event.workflow_run.head_repository.full_name != github.repository }} + runs-on: ubuntu-latest + permissions: + pull-requests: write + + steps: + - name: Notify runner restriction for fork PRs + run: | + echo "Workflows on the private runner are restricted for security reasons." + echo "Contributor can validate PRs using GitHub-hosted runners." + exit 1 + + - name: Comment on PR + if: ${{ github.event.workflow_run.pull_requests[0].number }} + uses: actions/github-script@v7 + with: + script: | + const pr = context.payload.workflow_run.pull_requests[0].number; + + await github.rest.issues.createComment({ + owner: context.repo.owner, + repo: context.repo.repo, + issue_number: pr, + body: [ + "⚠️ **AppKit-E8 hardware test was not run**", + "", + "This PR comes from a fork, so it is intentionally blocked from using the private runner.", + "", + "A maintainer must run the hardware workflow from the base repository if hardware validation is required." + ].join("\n") + }); CI: - if: ${{ github.event_name == 'workflow_dispatch' || (github.event.workflow_run.conclusion == 'success') }} + if: >- + ${{ github.event_name == 'workflow_dispatch' || + (github.event.workflow_run.conclusion == 'success' && + github.event.workflow_run.head_repository.full_name == github.repository) }} runs-on: [self-hosted, rsp-p5-01] steps: From bbcea5197baba495aeec1764ba5f8ecb6994ae00 Mon Sep 17 00:00:00 2001 From: Sourabh Mehta <73165318+soumeh01@users.noreply.github.com> Date: Thu, 25 Jun 2026 13:14:59 +0200 Subject: [PATCH 2/3] Add branch filter for workflow_run trigger --- .github/workflows/Run_RPS_AppKit-E8.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/Run_RPS_AppKit-E8.yml b/.github/workflows/Run_RPS_AppKit-E8.yml index c0146ec..80017d5 100644 --- a/.github/workflows/Run_RPS_AppKit-E8.yml +++ b/.github/workflows/Run_RPS_AppKit-E8.yml @@ -20,6 +20,7 @@ on: workflow_run: workflows: ["Build RPS for AppKit-E8 Hardware"] types: [completed] + branches: [main] permissions: contents: read From 6bdeb6d0babcf3597de517c6a418acc184952aa2 Mon Sep 17 00:00:00 2001 From: Sourabh Mehta <73165318+soumeh01@users.noreply.github.com> Date: Thu, 25 Jun 2026 13:23:49 +0200 Subject: [PATCH 3/3] Change branches to branches-ignore in workflow config --- .github/workflows/Run_RPS_AppKit-E8.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/Run_RPS_AppKit-E8.yml b/.github/workflows/Run_RPS_AppKit-E8.yml index 80017d5..6d3cb81 100644 --- a/.github/workflows/Run_RPS_AppKit-E8.yml +++ b/.github/workflows/Run_RPS_AppKit-E8.yml @@ -20,7 +20,7 @@ on: workflow_run: workflows: ["Build RPS for AppKit-E8 Hardware"] types: [completed] - branches: [main] + branches-ignore: ["main"] permissions: contents: read