From be3a1759de05e719ee1f5a034762ee6aa41b8ac0 Mon Sep 17 00:00:00 2001
From: Jacob Overgaard <752371+iOvergaard@users.noreply.github.com>
Date: Wed, 2 Jul 2025 09:47:53 +0200
Subject: [PATCH] GitHub: Only deploy to Azure on direct pull requests (#19647)

* build(github): check that the "close" job only runs when the appropriate label is applied

it follows that the "build" job would only have built an environment when the label was applied

* build(github): check that the action is run directly on the repository and not from a fork

this alleviates the problem that the deploymentToken for Azure only exists within the repository
---
 .github/workflows/azure-backoffice.yml | 4 ++--
 .github/workflows/azure-storybook.yml  | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/azure-backoffice.yml b/.github/workflows/azure-backoffice.yml
index b22b1d36ee..4c40540065 100644
--- a/.github/workflows/azure-backoffice.yml
+++ b/.github/workflows/azure-backoffice.yml
@@ -20,7 +20,7 @@ on:
 
 jobs:
   build_and_deploy_job:
-    if: github.event_name == 'push' || (github.event_name == 'pull_request' && github.event.action != 'closed' && (contains(github.event.pull_request.labels.*.name, 'preview/backoffice')))
+    if: github.event_name == 'push' || (github.event_name == 'pull_request' && github.event.action != 'closed' && contains(github.event.pull_request.labels.*.name, 'preview/backoffice') && github.repository == github.event.pull_request.head.repo.full_name)
     runs-on: ubuntu-latest
     name: Build and Deploy Job
     steps:
@@ -44,7 +44,7 @@ jobs:
           ###### End of Repository/Build Configurations ######
 
   close_pull_request_job:
-    if: github.event_name == 'pull_request' && github.event.action == 'closed'
+    if: github.event_name == 'pull_request' && github.event.action == 'closed' && contains(github.event.pull_request.labels.*.name, 'preview/backoffice') && github.repository == github.event.pull_request.head.repo.full_name
     runs-on: ubuntu-latest
     name: Close Pull Request Job
     steps:
diff --git a/.github/workflows/azure-storybook.yml b/.github/workflows/azure-storybook.yml
index 0da6fddfbe..586cd10d22 100644
--- a/.github/workflows/azure-storybook.yml
+++ b/.github/workflows/azure-storybook.yml
@@ -23,7 +23,7 @@ env:
 
 jobs:
   build_and_deploy_job:
-    if: github.event_name == 'push' || (github.event_name == 'pull_request' && github.event.action != 'closed' && (contains(github.event.pull_request.labels.*.name, 'preview/storybook')))
+    if: github.event_name == 'push' || (github.event_name == 'pull_request' && github.event.action != 'closed' && contains(github.event.pull_request.labels.*.name, 'preview/storybook') && github.repository == github.event.pull_request.head.repo.full_name)
     runs-on: ubuntu-latest
     name: Build and Deploy Job
     steps:
@@ -45,7 +45,7 @@ jobs:
           ###### End of Repository/Build Configurations ######
 
   close_pull_request_job:
-    if: github.event_name == 'pull_request' && github.event.action == 'closed'
+    if: github.event_name == 'pull_request' && github.event.action == 'closed' && contains(github.event.pull_request.labels.*.name, 'preview/storybook') && github.repository == github.event.pull_request.head.repo.full_name
     runs-on: ubuntu-latest
     name: Close Pull Request Job
     steps: