From d217ed61824baac2bf8e368f9afda342b063481b Mon Sep 17 00:00:00 2001
From: Musee Ullah <lae@lae.is>
Date: Wed, 4 Dec 2024 07:47:59 +0900
Subject: [PATCH] [actions] don't run Amplify on PRs from forks

GitHub does not mint OIDC tokens for externally sourced PRs so this
workflow can't successfully run. An alternative solution (like via an
approval comment?) should be identified and implemented eventually to
allow the workflow for previous contributors using their own forks.

This also updates the workflow to run on the develop branch.
---
 .github/workflows/amplify.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/amplify.yml b/.github/workflows/amplify.yml
index 60d74b2..85afa6e 100644
--- a/.github/workflows/amplify.yml
+++ b/.github/workflows/amplify.yml
@@ -4,7 +4,7 @@ on:
   pull_request: {}
   workflow_dispatch: {}
   push:
-    branches: ["main"]
+    branches: ["main", "develop"]
 
 permissions:
   contents: read
@@ -14,7 +14,7 @@ jobs:
   amplify-security-scan:
     name: Amplify Security Scan
     runs-on: ubuntu-latest
-    if: (github.actor != 'dependabot[bot]')
+    if: github.event.pull_request.head.repo.full_name == github.repository && github.actor != 'dependabot[bot]'
     steps:
       - name: Checkout
         uses: actions/checkout@v4