feat: restrict actions that use secrets to docker/docker-credential-helpers

This change adds conditional expressions to restrict the execution of
pipeline steps that consume secrets, such as uploading artifacts to
remote stores, from being executed unless they are being executed in the
context of the upstream `docker/docker-credential-helpers` repository.

With this change, downstream, external contributors (users who have
forked this repository, and have that fork on GitHub) can enable GitHub
Actions in their fork, in order to iterate and validate their changes
without waiting on the upstream maintainers.

This is extremely helpful to all contributors, because the repository
requires maintainer approval in order to execute pipelines, which is
burdensome on the maintainers, and due to this restrictive gatekeeping,
contributors have an excessively long feedback loop.

Signed-off-by: sudoforge <[email protected]>

Author: sudoforge

.github/workflows/build.yml

@@ -108,6 +108,7 @@ jobs:
       -
         name: Upload coverage
         uses: codecov/codecov-action@v4
+        if: github.repository == 'docker/docker-credential-helpers'
         with:
           file: ${{ env.DESTDIR }}/coverage.txt
           token: ${{ secrets.CODECOV_TOKEN }}
@@ -132,6 +133,7 @@ jobs:
       -
         name: Upload coverage
         uses: codecov/codecov-action@v4
+        if: github.repository == 'docker/docker-credential-helpers'
         with:
           file: ${{ env.DESTDIR }}//coverage.txt
           token: ${{ secrets.CODECOV_TOKEN }}
@@ -174,7 +176,9 @@ jobs:
           if-no-files-found: error
       -
         name: GitHub Release
-        if: startsWith(github.ref, 'refs/tags/v')
+        if: |
+          startsWith(github.ref, 'refs/tags/v') &&
+          github.repository == 'docker/docker-credential-helpers'
         uses: softprops/action-gh-release@69320dbe05506a9a39fc8ae11030b214ec2d1f87  # v2.0.5
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}