Disable build attestations for PRs from forks

RonnyPfannschmidt · claude · RonnyPfannschmidt · commit 3402322097aa · 2025-10-18T22:17:13.000+02:00
Conditionally enable build provenance attestations only when not running in a fork PR context. Fork PRs lack the necessary permissions (id-token and attestations write) to create attestations, causing workflow failures. Attestations now only run for: - Pushes to branches - PRs from branches within the same repository 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -21,7 +21,7 @@ jobs:
         id: baipp
         uses: hynek/build-and-inspect-python-package@v2
         with:
-          attest-build-provenance-github: true
+          attest-build-provenance-github: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository }}
         env:
           SETUPTOOLS_SCM_OVERRIDES_FOR_INICONFIG: ${{ github.ref == 'refs/heads/main' && 'local_scheme="no-local-version"' || '' }}
 
