From b6cfd6f2b66af3f89a992f2ab5b663879ebfbaff Mon Sep 17 00:00:00 2001
From: Musee Ullah <lae@lae.is>
Date: Wed, 4 Dec 2024 08:07:38 +0900
Subject: [PATCH] [actions] don't run Amplify on PRs from forks

GitHub does not mint OIDC tokens for externally sourced PRs so this
workflow can't successfully run on those PRs. An alternative solution
(like via an approval comment?) should be identified and implemented
eventually to allow the workflow for previous contributors using their
own forks.

This also updates the workflow to run on the develop branch.
---
 .github/workflows/amplify.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/amplify.yml b/.github/workflows/amplify.yml
index 17a1013..267a8ba 100644
--- a/.github/workflows/amplify.yml
+++ b/.github/workflows/amplify.yml
@@ -4,7 +4,7 @@ on:
   pull_request: {}
   workflow_dispatch: {}
   push:
-    branches: ["main"]
+    branches: ["main", "develop"]
 
 permissions:
   contents: read
@@ -14,9 +14,9 @@ jobs:
   amplify-security-scan:
     name: Amplify Security Scan
     runs-on: ubuntu-latest
-    if: (github.actor != 'dependabot[bot]')
+    if: (!github.event.pull_request.head.repo.fork && github.actor != 'dependabot[bot]')
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
       - name: Amplify Runner
         uses: amplify-security/runner-action@926f003f3c9695a93cbc4e2f1e64eb784dcacbfc  # v0.2.0