From c5a76b6f30f9d4510f430449358f5daadf242362 Mon Sep 17 00:00:00 2001
From: Musee Ullah <lae@lae.is>
Date: Wed, 4 Dec 2024 07:47:59 +0900
Subject: [PATCH] [actions] don't run Amplify on PRs from forks

GitHub does not mint OIDC tokens for externally sourced PRs so this workflow can't successfully run. An alternative solution (like via an approval comment?) should be identified and implemented eventually to allow the workflow for previous contributors using their own forks.
---
 .github/workflows/amplify.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/amplify.yml b/.github/workflows/amplify.yml
index 60d74b2..85afa6e 100644
--- a/.github/workflows/amplify.yml
+++ b/.github/workflows/amplify.yml
@@ -4,7 +4,7 @@ on:
   pull_request: {}
   workflow_dispatch: {}
   push:
-    branches: ["main"]
+    branches: ["main", "develop"]
 
 permissions:
   contents: read
@@ -14,7 +14,7 @@ jobs:
   amplify-security-scan:
     name: Amplify Security Scan
     runs-on: ubuntu-latest
-    if: (github.actor != 'dependabot[bot]')
+    if: github.event.pull_request.head.repo.full_name == github.repository && github.actor != 'dependabot[bot]'
     steps:
       - name: Checkout
         uses: actions/checkout@v4