ci: exclude some workflows from forks/branches & better scope permissions (#57)

2023-11-03 15:26:26 +00:00 · 2023-11-03 15:26:26 +00:00 · 32c742bfce
commit 32c742bfce
parent 96e861b5ab
3 changed files with 16 additions and 10 deletions
--- a/.github/workflows/format.yml
+++ b/.github/workflows/format.yml
@ -1,12 +1,14 @@
 name: Format

 on:
-  - push
-  - pull_request
+  push:
+    branches: [main]
+  pull_request:

 jobs:
  format-check:
    runs-on: ubuntu-latest
+
    steps:
      - uses: actions/checkout@v2
      - uses: cachix/install-nix-action@v20
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -4,13 +4,14 @@ on:
  push:
    branches: [main]

-permissions:
-  contents: write
-  pull-requests: write
-
 jobs:
  release-please:
    runs-on: ubuntu-latest
+
+    permissions:
+      contents: write
+      pull-requests: write
+
    steps:
      - uses: google-github-actions/release-please-action@v3
        with:
--- a/.github/workflows/update-docs.yml
+++ b/.github/workflows/update-docs.yml
@ -5,20 +5,23 @@ on:
    paths:
      - "modules/home-manager/**"
      - "modules/nixos/**"
-
-permissions:
-  contents: write
-
+  workflow_dispatch:

 jobs:
  update-docs:
    runs-on: ubuntu-latest

+    permissions:
+      contents: write
+
    strategy:
      max-parallel: 1
      matrix:
        package: ["nixos", "home-manager"]

+    # we only want this running on our repo, on the `main` branch
+    if: github.repository == 'Stonks3141/ctp-nix' && github.ref_name == 'main'
+
    steps:
      - uses: actions/checkout@v4
      - uses: cachix/install-nix-action@v22