build: make gha workflows that run on main fork-friendly

chadlwilson · chadlwilson · commit 835494c8c632 · 2026-02-08T01:41:08.000+08:00
Some of these won't work on forks due to missing secrets or use unnecessary compute. An alternative would be to run them if the secret is present, but that seems less explicit as to intent.

Signed-off-by: Chad Wilson &lt;29788154+chadlwilson@users.noreply.github.com&gt;
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -18,6 +18,7 @@ jobs:
     runs-on: ubuntu-latest 
     steps:
       - name: Install gpg secret key
+        if: github.repository_owner == 'dependency-check'
         id: install-gpg-key
         run: |
           cat <(echo -e "${{ secrets.GPG_PRIVATE_KEY }}") | gpg --batch --import
@@ -65,7 +66,7 @@ jobs:
           MAVEN_PASSWORD: ${{ secrets.CENTRAL_PASSWORD }}
           MAVEN_GPG_PASSPHRASE: ${{ secrets.GPG_PRIVATE_KEY_PASSWORD }}
           NVD_API_KEY: ${{ secrets.NVD_API_KEY }}
-        run: mvn -V -s settings.xml -Prelease clean package verify source:jar javadoc:jar gpg:sign deploy -DreleaseTesting --no-transfer-progress --batch-mode
+        run: mvn -V -s settings.xml clean package verify source:jar javadoc:jar ${{ steps.install-gpg-key.outcome == 'success' && '-Prelease gpg:sign deploy' || '' }} -DreleaseTesting --no-transfer-progress --batch-mode
       - name: SARIF Multitool
         uses: microsoft/sarif-actions@v0.2
         with:
@@ -108,9 +109,6 @@ jobs:
     name: Build and Test Docker
     runs-on: ubuntu-latest
     needs: build
-    env:
-      DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
-      DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }}
     steps:
       - name: Checkout code
         uses: actions/checkout@v6
diff --git a/.github/workflows/false-positive-cleanup.yml b/.github/workflows/false-positive-cleanup.yml
@@ -7,6 +7,7 @@ on:
 permissions: {}
 jobs:
   cleanup:
+    if: github.repository_owner == 'dependency-check'
     permissions:
       actions: write  #  to delete workflow runs
 
diff --git a/.github/workflows/lock.yml b/.github/workflows/lock.yml
@@ -15,6 +15,7 @@ concurrency:
 
 jobs:
   action:
+    if: github.repository_owner == 'dependency-check'
     runs-on: ubuntu-latest
     steps:
       - uses: dessant/lock-threads@v6
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -18,6 +18,7 @@ on:
 
 jobs:
   build:
+    if: github.repository_owner == 'dependency-check'
     name: Build dependency-check
     runs-on: ubuntu-latest 
     steps:
