ci: restrict sensitive workflow jobs to upstream repository only

[devnchill]

Proposed change

Resolves #4968

Add the PR description here.

Adds if: github.event.repository.fork == false to some jobs to skip running in forked repos.

I wanted to get some clarification on following

• many workflow_call are being protected indirectly through their callers so i skipped ading checks for them individually , do I need to add them ?

• some files just have 1 job with fork check already, i left it that way, not sure if i need to create a separate job and then add it as needs for these too

Checklist

• Required: I followed the contributing workflow
• Required: I verified that my code works as intended and resolves the issue as described
• Required: I ran all required checks and tests locally; all warnings addressed and failures resolved
• I used AI for code, documentation, tests, or communication related to this PR

[coderabbitai]

Summary by CodeRabbit

• Bug Fixes
  • Improved workflow safeguards so CI, code scanning, dependency review, and test uploads do not run on forked pull requests.
  • Added consistent checks to ensure production and staging deployment jobs only run from the main repository.
  • Streamlined test coverage handling by using a shared gate before coverage uploads run.

Walkthrough

The workflows add fork checks that skip CI/CD, CodeQL, and dependency-review jobs on forked repositories. run-code-tests also adds a dedicated check-fork job and makes backend and frontend coverage uploads depend on it.

Changes

Fork checks across workflows

Layer / File(s)	Summary
Shared coverage gate .github/workflows/run-code-tests.yaml	Adds a check-fork job and routes backend and frontend coverage upload jobs through needs: check-fork.
Job-level fork guards .github/workflows/ci-cd-production.yaml, .github/workflows/ci-cd-staging.yaml, .github/workflows/code-ql-actions.yaml, .github/workflows/code-ql-javascript-typescript.yaml, .github/workflows/code-ql-python.yaml, .github/workflows/dependency-review.yaml	Adds fork checks to the listed workflow jobs so they skip on forked repositories.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Suggested reviewers

• cubic-dev-ai
• kasya

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly matches the main change: restricting sensitive GitHub Actions jobs to the upstream repository.
Description check	✅ Passed	The description is directly related to the workflow fork-guard changes and the linked issue.
Linked Issues check	✅ Passed	The workflow updates add fork checks to the targeted jobs, satisfying the issue's request to skip upstream-only jobs in forks.
Out of Scope Changes check	✅ Passed	The added guard job and needs changes are in scope for preventing sensitive workflows from running in forked repositories.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[cubic-dev-ai]

1 issue found across 7 files

Confidence score: 2/5

• In .github/workflows/run-code-tests.yaml, the fork check uses github.event.repository.fork == false, which still allows fork-originated pull_request runs because that field points to the base repo; merging as-is can execute untrusted fork code under the upstream workflow context and expose CI resources/secrets if any are available — switch the gate to a head-repo/fork-aware condition (for example using github.event.pull_request.head.repo.fork or equivalent) before merging.

<sub>Reply with feedback, questions, or to request a fix.

Re-trigger cubic</sub>

[coderabbitai]

Actionable comments posted: 5

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/code-ql-actions.yaml:
- Line 31: The job condition is checking the PR head repository fork status,
which wrongly skips CodeQL for upstream pull requests from forks; update the
workflow gate in the CodeQL job to rely on the repository running the workflow
instead of github.event.pull_request.head.repo.fork, so execution is restricted
only when the workflow itself is in a forked repository. Use the existing
workflow job condition around the CodeQL action to apply the fix consistently.

In @.github/workflows/code-ql-javascript-typescript.yaml:
- Line 47: The fork guard in the CodeQL workflow is checking the pull request
source repo instead of the repository running the workflow, which skips upstream
scanning for contributor forks. Update the conditional on the workflow job to
use the repository context from the workflow runtime, not
pull_request.head.repo.fork, and keep the restriction scoped to the current
repo. Use the workflow job condition around the CodeQL scan step in
code-ql-javascript-typescript.yaml to locate and adjust this logic.

In @.github/workflows/code-ql-python.yaml:
- Line 37: The CodeQL workflow condition is checking the pull request source
repo rather than whether the workflow is running in the upstream repository.
Update the `if` guard in the Python CodeQL workflow so it distinguishes upstream
execution from forked-repo execution, not just
`github.event.pull_request.head.repo.fork`. Use the existing workflow context
around the `if:` condition to allow Python CodeQL to run for upstream PRs,
including external-contributor PRs opened against the upstream repo, while still
skipping true fork-origin executions as intended.

In @.github/workflows/dependency-review.yaml:
- Line 24: The dependency review condition is checking the pull request source
repository via github.event.pull_request.head.repo.fork, which skips forked PRs
instead of restricting execution to the current repo. Update the workflow gate
in dependency-review to use the repository running the workflow (for example,
the base/current repository context) so dependency review only runs for upstream
repository executions, and keep the condition aligned with the intended “current
repository only” behavior.

In @.github/workflows/run-code-tests.yaml:
- Line 13: The shared workflow gate is using PR-event-only fork detection, which
still allows non-PR events from forked repositories to pass and lets the
coverage upload jobs run. Update the condition in the workflow that guards the
upload jobs to use repository-level fork detection instead of
github.event.pull_request null checks, and apply it consistently wherever the
shared gate is reused so both upload paths stay upstream-only.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: b3fd75d4-e16b-4dd8-bab7-84347961abdf

📥 Commits

Reviewing files that changed from the base of the PR and between bb04f57 and d287f54.

📒 Files selected for processing (5)

• .github/workflows/code-ql-actions.yaml
• .github/workflows/code-ql-javascript-typescript.yaml
• .github/workflows/code-ql-python.yaml
• .github/workflows/dependency-review.yaml
• .github/workflows/run-code-tests.yaml

[cubic-dev-ai]

4 issues found across 5 files (changes from recent commits).

<sub>Reply with feedback, questions, or to request a fix.

Re-trigger cubic</sub>

[arkid15r]

It looks like only ci-cd-staging needs this (we can also keep it for production just for consistency).

[cubic-dev-ai]

1 issue found across 4 files (changes from recent commits).

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name=".github/workflows/code-ql-actions.yaml">

<violation number="1">
P1: Fork-restriction guard was removed from the CodeQL Actions job, causing it to run in forked repositories contrary to the PR's stated objective of restricting sensitive jobs to the upstream repository only.</violation>
</file>

<sub>Tip: Review your code locally with the cubic CLI to iterate faster.

Re-trigger cubic</sub>

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 98.74%. Comparing base (c9c7c1f) to head (93f3738).

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #5052   +/-   ##
=======================================
  Coverage   98.74%   98.74%           
=======================================
  Files         539      539           
  Lines       17069    17069           
  Branches     2421     2421           
=======================================
  Hits        16854    16854           
  Misses        123      123           
  Partials       92       92           

Flag	Coverage Δ
backend	99.45% <ø> (ø)
frontend	96.71% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

---

Continue to review full report in Codecov by Harness.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update c9c7c1f...93f3738. Read the comment docs.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[devnchill]

It looks like only ci-cd-staging needs this (we can also keep it for production just for consistency).

Hmm the tests already had it to prevent coverage upload from running

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud