Skip to content

Guard demo workflow artifact uploads on forked PRs#3817

Open
MontrealAI wants to merge 1 commit into
mainfrom
codex/refactor-code-to-follow-best-practices-o8dqpq
Open

Guard demo workflow artifact uploads on forked PRs#3817
MontrealAI wants to merge 1 commit into
mainfrom
codex/refactor-code-to-follow-best-practices-o8dqpq

Conversation

@MontrealAI
Copy link
Copy Markdown
Owner

@MontrealAI MontrealAI commented Jan 8, 2026

Motivation

  • Prevent failing artifact uploads and permission errors when demo workflows run for forked pull requests where the runner token lacks write permissions.
  • Avoid attempting to publish artifacts from untrusted fork contexts by gating uploads to events that have a writable token.

Description

  • Added an if guard (${{ always() && (github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false) }}) to actions/upload-artifact steps in demo workflows.
  • Updated the following workflow files: .github/workflows/demo-asi-global.yml, .github/workflows/demo-asi-takeoff.yml, .github/workflows/demo-aurora.yml, .github/workflows/demo-zenith-hypernova.yml, .github/workflows/demo-zenith-sapience-celestial-archon.yml, .github/workflows/demo-zenith-sapience-initiative.yml, .github/workflows/demo-zenith-sapience-omnidominion.yml, and .github/workflows/demo-zenith-sapience-planetary-os.yml.
  • The guard preserves uploads for non-pull_request events and for pull requests originating from the same repository (non-forks).

Testing

  • No automated tests were executed because this is a workflow-only change.
  • Behavior will be validated on subsequent workflow runs where CI executes these demo workflows under both forked and non-forked contexts.

Codex Task

chatgpt-codex-connector[bot]
chatgpt-codex-connector Bot reviewed Jan 8, 2026
View reviewed changes
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: e40ec4b562

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread .github/workflows/demo-asi-global.yml
run: npm run demo:asi-global:local

- name: Upload global demo artefacts
if: ${{ always() && (github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false) }}
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector Bot Jan 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Treat forked repos' internal PRs as non-fork

This guard uses github.event.pull_request.head.repo.fork == false to decide whether a PR is “from a fork,” but head.repo.fork is true for any repository that itself is a fork. If this repo is a fork (e.g., downstream or mirrored forks), then same-repo PRs will now skip artifact uploads even though the token has write access, which is a behavior regression for internal PRs. Consider checking github.event.pull_request.head.repo.full_name == github.repository (or comparing repo IDs) so internal PRs in forked repos still upload.

Useful? React with 👍 / 👎.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chatgpt-codex-connector chatgpt-codex-connector[bot] chatgpt-codex-connector[bot] left review comments

Assignees

No one assigned

Labels

codex

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@MontrealAI