fix: prevent is-fork (#4671)

* fix: prevent is-fork

Signed-off-by: Gustavo Carvalho <gustavo@externalsecrets.com>

* fix: syntax

Signed-off-by: Gustavo Carvalho <gustavo@externalsecrets.com>

---------

Signed-off-by: Gustavo Carvalho <gustavo@externalsecrets.com>

.github/workflows/ci.yml

@@ -170,4 +170,5 @@ jobs:
       username: ${{ github.actor }}
     secrets:
       GHCR_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      IS_FORK: ${{ secrets.GHCR_USERNAME }} # this is just a secret to verify it is a fork or not, no other utility
 

.github/workflows/publish.yml

@@ -34,13 +34,14 @@ on:
     secrets:
       GHCR_TOKEN:
         required: true
+      IS_FORK:
+        required: false
 
 env:
   IMAGE_NAME: ${{ inputs.image-name }}
   TAG_SUFFIX: ${{ inputs.tag-suffix }}
   ARCH: ${{ inputs.build-arch }}
   DOCKERFILE: ${{ inputs.dockerfile }}
-  IS_FORK: ${{ secrets.GHCR_USERNAME == '' && 'true' || 'false' }}
 
 jobs:
   build-publish:
@@ -86,7 +87,7 @@ jobs:
 
       - name: Login to Docker
         uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
-        if: env.IS_FORK == 'false'
+        if: secrets.IS_FORK != ''
         with:
           registry: ghcr.io
           username: ${{ inputs.username }}
@@ -111,7 +112,7 @@ jobs:
           echo "image-tag=${TAG}" >> $GITHUB_OUTPUT
 
       - name: Build & Publish Artifacts
-        if: env.IS_FORK == 'false'
+        if: secrets.IS_FORK != ''
         shell: bash
         env:
           IMAGE_TAG: ${{ steps.container_info.outputs.image-tag }}
@@ -122,7 +123,7 @@ jobs:
         run: make docker.build
 
       - name: Build & Publish Artifacts fork
-        if: env.IS_FORK == 'true'
+        if: secrets.IS_FORK == ''
         shell: bash
         env:
           IMAGE_TAG: ${{ steps.container_info.outputs.image-tag }}
@@ -151,7 +152,7 @@ jobs:
       - name: Checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Sign image
-        if: env.IS_FORK == 'false'
+        if: secrets.IS_FORK != ''
         uses: ./.github/actions/sign
         with:
           image-name: ${{ inputs.image-name }}

.github/workflows/rebuild-image.yml

@@ -68,3 +68,4 @@ jobs:
       username: ${{ github.actor }}
     secrets:
       GHCR_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      IS_FORK: ${{ secrets.GHCR_USERNAME }}