Don't run scorecard on forks

xhochy · xhochy · commit 6503c194baf2 · 2025-05-08T15:56:05.000+02:00
diff --git a/template/.github/workflows/scorecard.yml.jinja b/template/.github/workflows/scorecard.yml.jinja
@@ -1,3 +1,4 @@
+{%- raw -%}
 # This workflow uses actions that are not certified by GitHub. They are provided
 # by a third-party and are governed by separate terms of service, privacy
 # policy, and support documentation.
@@ -23,7 +24,10 @@ jobs:
     name: Scorecard analysis
     runs-on: ubuntu-latest
     # `publish_results: true` only works when run from the default branch. conditional can be removed if disabled.
-    if: github.event.repository.default_branch == github.ref_name || github.event_name == 'pull_request'
+{%- endraw -%}
+{% set github_repo_url = github_url.split("/")[-2:].join("/") %}
+    if: (github.event.repository.default_branch == github.ref_name || github.event_name == 'pull_request') && github.repository == '{{ github_repo_url }}'
+{%- raw -%}
     permissions:
       # Needed to upload the results to code-scanning dashboard.
       security-events: write
@@ -77,3 +81,4 @@ jobs:
         uses: github/codeql-action/upload-sarif@97a2bfd2a3d26d458da69e548f7f859d6fca634d # v3.28.15
         with:
           sarif_file: results.sarif
+{%- endraw -%}
