From 1925ed27a0fa16d638fb21668f538554c666ee31 Mon Sep 17 00:00:00 2001
From: Edward McFarlane <3036610+emcfarlane@users.noreply.github.com>
Date: Tue, 20 Aug 2024 17:22:43 -0400
Subject: [PATCH] Disable PR comment by default from forks (#64)

Forked PRs can fail to access the secrets for the repository. This can
fail on trying to comment the results from CI on the PR. Disable
comments for all forked by default.
---
 README.md  | 6 +++---
 action.yml | 7 ++++---
 2 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/README.md b/README.md
index 7c7d9d6..54195da 100644
--- a/README.md
+++ b/README.md
@@ -67,14 +67,14 @@ Add these parameters under the `with` section of the `uses` step in the workflow
 | `paths`                         | Limit to specific files or directories (separated by newlines). | |
 | `exclude_imports`               | Exclude files imported by the target modules. | False |
 | `exclude_paths`                 | Exclude specific files or directories, e.g. "proto/a/a.proto", "proto/a" (separated by newlines). | |
-| `pr_comment`                    | Comment the results on the pull request. The workflow and job name combination must be unique. | Only on pull requests |
+| `pr_comment`                    | Comment the results on the pull request. The workflow and job name combination must be unique. | Only on pull requests (non forks) |
 | `format`                        | Whether to run the formatting step. | Runs on pushes to Git PR |
 | `lint`                          | Whether to run the linting step. | Runs on pushes to Git PR |
 | `breaking`                      | Whether to run the breaking change detection step. | Runs on pushes to Git PR |
 | `breaking_against`              | [Input](https://buf.build/docs/reference/inputs) to compare against. | Base of the PR or the commit before the event |
-| `push`                          | Whether to run the push step. | Runs on Git pushes |
+| `push`                          | Whether to run the push step. | Runs on Git pushes (non forks) |
 | `push_disable_create`           | Disables repository creation if it does not exist. | False |
-| `archive`                       | Whether to run the archive step. | Runs on Git deletes |
+| `archive`                       | Whether to run the archive step. | Runs on Git deletes (non forks) |
 | `setup_only`                    | Setup only the `buf` environment, optionally logging into the BSR, but without executing other commands. | |
 | `github_actor`                  | GitHub actor for API requests. | Actor from GitHub context |
 | `github_token`                  | GitHub token for API requests. Ensures requests aren't rate limited | Token from GitHub context |
diff --git a/action.yml b/action.yml
index 3566fad..aac3a10 100644
--- a/action.yml
+++ b/action.yml
@@ -56,8 +56,9 @@ inputs:
   pr_comment:
     description: |-
       Comment on the pull request with the results of each step. The workflow and job name combination must be unique.
+      Only runs on pull requests, for non forked repositories.
     required: false
-    default: ${{ github.event_name == 'pull_request' }}
+    default: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository }}
 
   input:
     description: |-
@@ -115,7 +116,7 @@ inputs:
 
   push:
     description: |-
-      Whether to run the push step. Runs by default on pushes.
+      Whether to run the push step. Runs by default on pushes, for non forked repositories.
     required: false
     default: ${{ github.event_name == 'push' }}
   push_disable_create:
@@ -126,7 +127,7 @@ inputs:
 
   archive:
     description: |-
-      Whether to run the archive step. Runs by default on deletes.
+      Whether to run the archive step. Runs by default on deletes, for non forked repositories.
     required: false
     default: ${{ github.event_name == 'delete' }}