CI: Avoid running on 'push' in mirrors / forks (#110063)

* CI: Avoid running on 'push' in mirrors / forks

* use single quotes

.github/workflows/go-lint.yml

@@ -14,6 +14,8 @@ permissions:
 
 jobs:
   detect-changes:
+    # Run on `grafana/grafana` main branch, or on pull requests to prevent double-running on mirrors
+    if: (github.event_name == 'pull_request' || (github.event_name == 'push' && github.repository == 'grafana/grafana'))
     name: Detect whether code changed
     runs-on: ubuntu-latest
     permissions:

.github/workflows/i18n-verify.yml

@@ -12,4 +12,6 @@ on:
 
 jobs:
   verify-i18n:
+    # Run on `grafana/grafana` main branch, or on pull requests to prevent double-running on mirrors
+    if: (github.event_name == 'pull_request' || (github.event_name == 'push' && github.repository == 'grafana/grafana'))
     uses: grafana/grafana-github-actions/.github/workflows/verify-i18n.yml@main

.github/workflows/lint-build-docs.yml

@@ -20,6 +20,8 @@ permissions: {}
 
 jobs:
   docs:
+    # Run on `grafana/grafana` main branch, or on pull requests to prevent double-running on mirrors
+    if: (github.event_name == 'pull_request' || (github.event_name == 'push' && github.repository == 'grafana/grafana'))
     name: Build & Verify Docs
     runs-on: ubuntu-latest
 

.github/workflows/pr-frontend-unit-tests.yml

@@ -10,6 +10,8 @@ permissions: {}
 
 jobs:
   detect-changes:
+    # Run on `grafana/grafana` main branch, or on pull requests to prevent double-running on mirrors
+    if: (github.event_name == 'pull_request' || (github.event_name == 'push' && github.repository == 'grafana/grafana'))
     name: Detect whether code changed
     runs-on: ubuntu-x64-small
     permissions:
@@ -166,4 +168,4 @@ jobs:
         with:
           needs: ${{ toJson(needs) }}
           failure-message: "One or more unit test jobs have failed"
-          success-message: "All unit tests completed successfully"
+          success-message: "All unit tests completed successfully"

.github/workflows/reject-gh-secrets.yml

@@ -12,6 +12,8 @@ permissions: {}
 
 jobs:
   reject-gh-secrets:
+    # Run on `grafana/grafana` main branch, or on pull requests to prevent double-running on mirrors
+    if: (github.event_name == 'pull_request' || (github.event_name == 'push' && github.repository == 'grafana/grafana'))
     runs-on: ubuntu-latest
     permissions:
       contents: read
@@ -28,4 +30,4 @@ jobs:
             echo "Found secrets access in the codebase. Please remove it in favour of Vault secrets."
             echo "If you are sure this is correct, add '# nolint:reject-gh-secrets' to the end of the line. Be VERY careful with this."
             exit 1
-          fi
+          fi

.github/workflows/release-build.yml

@@ -49,7 +49,7 @@ jobs:
   setup:
     name: setup
     runs-on: github-hosted-ubuntu-x64-small
-    if: github.repository == 'grafana/grafana'
+    if: (github.repository == 'grafana/grafana') || (github.repository == 'grafana/grafana-security-mirror' && contains(github.ref_name, '+security'))
     outputs:
       version: ${{ steps.output.outputs.version }}
       grafana-commit: ${{ steps.output.outputs.grafana_commit }}
@@ -104,10 +104,11 @@ jobs:
           BUCKET: grafana-prerelease
           GRAFANA_COMMIT: ${{ needs.setup.outputs.grafana-commit }}
           SOURCE_EVENT: ${{ inputs.source-event || github.event_name }}
+          REPO: ${{ github.repository }}
         with:
           github-token: ${{ steps.generate_token.outputs.token }}
           script: |
-            const {REF, VERSION, BUILD_ID, BUCKET, GRAFANA_COMMIT, SOURCE_EVENT} = process.env;
+            const {REF, VERSION, BUILD_ID, BUCKET, GRAFANA_COMMIT, SOURCE_EVENT, REPO} = process.env;
 
             await github.rest.actions.createWorkflowDispatch({
                 owner: 'grafana',
@@ -120,6 +121,7 @@ jobs:
                   "bucket": BUCKET,
                   "grafana-commit": GRAFANA_COMMIT,
                   "source-event": SOURCE_EVENT,
+                  "upstream": REPO,
                 }
             })
 

.github/workflows/shellcheck.yml

@@ -15,6 +15,8 @@ permissions: {}
 
 jobs:
   shellcheck:
+    # Run on `grafana/grafana` main branch, or on pull requests to prevent double-running on mirrors
+    if: (github.event_name == 'pull_request' || (github.event_name == 'push' && github.repository == 'grafana/grafana'))
     name: Shellcheck scripts
     runs-on: ubuntu-latest
     permissions:

.github/workflows/swagger-gen.yml

@@ -15,6 +15,8 @@ concurrency:
 
 jobs:
   detect-changes:
+    # Run on `grafana/grafana` main branch, or on pull requests to prevent double-running on mirrors
+    if: (github.event_name == 'pull_request' || (github.event_name == 'push' && github.repository == 'grafana/grafana'))
     name: Detect whether code changed
     runs-on: ubuntu-latest
     permissions:

.github/workflows/trigger-dashboard-search-e2e.yml

@@ -22,7 +22,8 @@ env:
 jobs:
   trigger-search-e2e:
     runs-on: ubuntu-latest
-    if: github.event.pull_request.draft == false
+    # Run on `grafana/grafana` main branch, or on pull requests to prevent double-running on mirrors
+    if: (github.event_name == 'pull_request' && github.event.pull_request.draft == false) || (github.event_name == 'push' && github.repository == 'grafana/grafana')
     steps:
       - name: Trigger Dashboard Search E2E
-        run: echo "Triggered Dashboard Search e2e..."
+        run: echo "Triggered Dashboard Search e2e..."