From 52e3c72d62d80560cf3c0c56c6b8782c4df6320a Mon Sep 17 00:00:00 2001
From: Ignacio Flores <inifl99@gmail.com>
Date: Tue, 23 Jun 2026 13:04:47 -0300
Subject: [PATCH] fix: skip secret-dependent CI steps for fork PRs

SonarQube Scanner fails on fork PRs because SONAR_TOKEN and
SONAR_HOST_URL secrets are not available in that context. The
`Commit & push API Docs` step would similarly fail since the
GITHUB_TOKEN has read-only permissions for forks.

Add `if` conditions to skip both steps when the PR originates
from a fork.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .github/workflows/ci.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 413429893..cfecbfd63 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -196,6 +196,7 @@ jobs:
           echo "SONAR_PROJECT_VERSION=$(echo $GITHUB_SHA | cut -c1-8)" >> $GITHUB_ENV
           echo "SONAR_REPORT_PATHS=$(ls coverage/coverage-*.json | paste -sd "," -)" >> $GITHUB_ENV
       - name: SonarQube Scanner
+        if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
         uses: sonarsource/sonarqube-scan-action@v8.0.0
         env:
           SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
@@ -224,7 +225,7 @@ jobs:
         if: ${{ env.OPENAPI }}
         run: bundle exec ./bin/merge-api-docs.rb
       - name: Commit & push API Docs
-        if: ${{ env.OPENAPI }}
+        if: ${{ env.OPENAPI }} && (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository)
         run: |
           git config --local user.email "action@github.com"
           git config --local user.name "GitHub Action"