CI: Skip nx workflow on forks due to missing secrets

[kasperpeulen]

What I did

Forks don't have access to repository secrets (NX_CLOUD_ACCESS_TOKEN), so the nx workflow would fail. This change ensures the workflow only runs on PRs from the main repository.

In the future, we plan to use pull_request_target to safely run on forks while still having access to secrets.

Checklist for Contributors

Testing

The changes in this PR are covered in the following automated tests:

• stories
• unit tests
• integration tests
• end-to-end tests

Manual testing

This is a CI workflow change. No manual testing is necessary - the workflow will simply be skipped for fork PRs.

Documentation

• Add or update documentation reflecting your changes
• If you are deprecating/removing a feature, make sure to update
  MIGRATION.MD

Checklist for Maintainers

• When this PR is ready for testing, make sure to add ci:normal, ci:merged or ci:daily GH label to it to run a specific set of sandboxes. The particular set of sandboxes can be found in code/lib/cli-storybook/src/sandbox-templates.ts

• Make sure this PR contains one of the labels below:

  Available labels

  - `bug`: Internal changes that fixes incorrect behavior. - `maintenance`: User-facing maintenance tasks. - `dependencies`: Upgrading (sometimes downgrading) dependencies. - `build`: Internal-facing build tooling & test updates. Will not show up in release changelog. - `cleanup`: Minor cleanup style change. Will not show up in release changelog. - `documentation`: Documentation **only** changes. Will not show up in release changelog. - `feature request`: Introducing a new feature. - `BREAKING CHANGE`: Changes that break compatibility in some way with current major version. - `other`: Changes that don't fit in the above categories.

[Copilot]

Pull request overview

This PR prevents the nx workflow from running on pull requests from forks, which would otherwise fail due to missing access to the NX_CLOUD_ACCESS_TOKEN secret. The change adds a condition to check if the PR originates from the main repository before executing the workflow.

• Adds a repository check condition to the nx workflow job to skip execution on fork PRs
• Includes a TODO comment indicating future plans to use pull_request_target for safer fork support

[Copilot]

The condition to check if a PR is from a fork is incorrect. The current condition github.event.pull_request.head.repo.full_name == github.repository will fail when the head repository is null (which happens when a fork is deleted). Additionally, there's a more reliable property specifically designed for this check.

According to GitHub Actions documentation and the pattern used in trigger-circle-ci-workflow.yml (line 28), you should use github.event.pull_request.head.repo.fork instead. This property is a boolean that explicitly indicates whether the PR is from a fork.

The condition should be changed to check that the fork property is false (or the property doesn't exist for same-repo PRs). For example:
github.event.pull_request.head.repo.fork != true

This approach is more robust and handles edge cases like deleted forks better.

Suggested change

	github.event.pull_request.head.repo.full_name == github.repository &&
	github.event.pull_request.head.repo.fork != true &&

[coderabbitai]

📝 Walkthrough

Walkthrough

The PR modifies the GitHub Actions workflow to restrict the nx job execution to pull requests originating from the same repository, preventing execution on forked PRs. A comment documenting a future plan to use pull_request_target for fork support has also been added.

Changes

Cohort / File(s)	Summary
GitHub Actions Workflow Security .github/workflows/nx.yml	Added conditional constraint to PR-triggered nx job requiring the PR head repository full name matches the base repository, restricting execution to same-repo PRs only. Added comment noting future plan for handling forks via pull_request_target.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

.github/workflows/nx.yml (1)

7-7: Consider documenting security implications in the TODO.

The TODO mentions using pull_request_target for fork support, which is a good future direction. However, pull_request_target requires careful implementation to avoid exposing secrets to untrusted code from forks. Consider expanding this comment to note that any future implementation should ensure secrets are not exposed during checkout or build steps from the PR.

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 02568bb and 510bd7f.

📒 Files selected for processing (1)

• .github/workflows/nx.yml

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Core Unit Tests, windows-latest

🔇 Additional comments (1)

.github/workflows/nx.yml (1)

23-30: LGTM! Repository check correctly prevents fork PR execution.

The addition of github.event.pull_request.head.repo.full_name == github.repository on line 25 correctly filters out PRs from forks, preventing failures due to the missing NX_CLOUD_ACCESS_TOKEN secret. The logic preserves execution for same-repository PRs, push events, and scheduled runs.

[nx-cloud]

View your CI Pipeline Execution ↗ for commit 510bd7f

Command	Status	Duration	Result
nx run-many -t compile,check,knip,test,pretty-d...	✅ Succeeded	9m 15s	View ↗

---

☁️ Nx Cloud last updated this comment at 2026-01-06 11:27:15 UTC