Privileged CI jobs skipped on fork PRs
CI pipelines will no longer instantly fail on external pull requests. Jobs requiring repository secrets or write permissions are now skipped when a PR originates from a fork.
External contributors submitting pull requests from forks often hit an immediate roadblock. GitHub Actions workflows requiring organization secrets or write permissions—such as publishing Helm charts—failed instantly, since GitHub prevents external forks from accessing repository secrets.
The CI pipeline is now configured to skip these privileged jobs when a pull request originates from an outside fork.
This change eliminates the automatic failures that clutter the pull request interface. By gating jobs like the Claude markdown audit and Helm pre-releases behind a same-repo check in the GitHub workflows, the pipeline stays clean. Standard validation checks like linting and testing are still the primary merge gates, and they no longer get blocked by unavoidable permission errors.
View Original GitHub Description
Fork PRs can't access org secrets or push to GHCR, so these two pull_request jobs hard-fail with no path to passing:
claude-md-audit- needsCLAUDE_CODE_OAUTH_TOKENhelm-pr-prereleaseprereleasejob - needspackages: writeto push the chart
Hit this on #3449. Approving the run didn't help; the jobs ran and failed at the privileged step. The chart-validation lint-and-test job is fork-safe and stays untouched - that remains the merge gate for Helm changes.
Gate both jobs on same-repo head:
if: github.event.pull_request.head.repo.full_name == github.repository
Other PR workflows already handle forks fine: pr_checks (typecheck/units/e2e/sdk-compat) falls back to anonymous DockerHub pulls when secrets are missing.