From 402d36d21fa6e842f29ff857eb0d00a17d15a6d8 Mon Sep 17 00:00:00 2001 From: Nano Taboada Date: Fri, 24 Oct 2025 11:59:53 -0300 Subject: [PATCH 1/2] chore(ci): skip coverage upload for external fork PRs External contributors' PRs fail when uploading coverage reports because GitHub Actions doesn't expose secrets to workflows triggered by forks (security measure). This adds a conditional to skip the coverage job for external PRs while still running tests. Coverage will still run for: - Dependabot PRs (same repository) - Internal team PRs (same repository) - Pushes to master (post-merge) External contributors will see their tests pass successfully without the coverage upload step. --- .github/workflows/python-app.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/python-app.yml b/.github/workflows/python-app.yml index 5bc8d8b..1b8184c 100644 --- a/.github/workflows/python-app.yml +++ b/.github/workflows/python-app.yml @@ -79,6 +79,9 @@ jobs: coverage: needs: test runs-on: ubuntu-latest + # Only run coverage for PRs from the same repository (not forks) + # This ensures secrets are available for Codecov and Codacy + if: github.event.pull_request.head.repo.full_name == github.repository || github.event_name == 'push' strategy: matrix: service: [codecov, codacy] @@ -107,8 +110,8 @@ jobs: container: needs: coverage - runs-on: ubuntu-latest if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }} + runs-on: ubuntu-latest permissions: contents: read From 66cbd4f20c0b1974473a7d20b78acfd7d4f1da09 Mon Sep 17 00:00:00 2001 From: Nano Taboada <87288+nanotaboada@users.noreply.github.com> Date: Fri, 24 Oct 2025 12:19:32 -0300 Subject: [PATCH 2/2] chore(ci): adjust skipping coverage upload for external fork PRs Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- .github/workflows/python-app.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/python-app.yml b/.github/workflows/python-app.yml index 1b8184c..9d6d1e3 100644 --- a/.github/workflows/python-app.yml +++ b/.github/workflows/python-app.yml @@ -81,7 +81,7 @@ jobs: runs-on: ubuntu-latest # Only run coverage for PRs from the same repository (not forks) # This ensures secrets are available for Codecov and Codacy - if: github.event.pull_request.head.repo.full_name == github.repository || github.event_name == 'push' + if: github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository strategy: matrix: service: [codecov, codacy]