scan: skip running if the PR head is a fork (#28107)

Signed-off-by: Ryan Cragun <me@ryan.ec>
hashicorp · Aug 16, 2024 · d5c6776 · d5c6776
1 parent 62e0e62
commit d5c6776
Showing 1 changed file with 3 additions and 3 deletions.
diff --git a/.github/workflows/security-scan.yml b/.github/workflows/security-scan.yml
@@ -16,10 +16,10 @@ on:
 jobs:
   scan:
     runs-on: ${{ github.repository == 'hashicorp/vault' && 'ubuntu-latest' || fromJSON('["self-hosted","ondemand","os=linux","type=c6a.4xlarge"]') }}
-    # The first check ensures this doesn't run on community-contributed PRs, who
-    # won't have the permissions to run this job.
+    # The first check ensures this doesn't run on community-contributed PRs, who won't have the
+    # permissions to run this job.
     if: |
-      (startsWith(github.repository, 'hashicorp/vault') || (github.event.pull_request.head.repo.full_name == github.event.pull_request.base.repo.full_name)) &&
+      ! github.event.pull_request.head.repo.fork &&
       github.actor != 'dependabot[bot]' &&
       github.actor != 'hc-github-team-secure-vault-core'
     steps: