[GHA] Rework upload expression and add verification for nonce job

s3rj1k · s3rj1k · commit 70a3578e158a · 2025-03-07T22:41:24.000+01:00
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -21,6 +21,15 @@ concurrency:
 jobs:
   get-nonce:
     name: 'Get Nonce for token'
+    if: |
+      (
+        github.event_name == 'pull_request' &&
+        github.event.pull_request.head.repo.full_name != github.repository &&
+        !contains(github.event.pull_request.changed_files, '.github/')
+      ) ||
+      github.event_name == 'push' ||
+      github.event.pull_request.head.repo.full_name == github.repository ||
+      github.actor == github.repository_owner
     runs-on: freeswitch-org-auth-client
     outputs:
       nonce: ${{ steps.get-nonce.outputs.nonce }}
@@ -52,9 +61,7 @@ jobs:
       ${{
         github.event_name == 'push' ||
         github.event.pull_request.head.repo.full_name == github.repository ||
-        github.actor == github.repository_owner ||
-        github.actor.belongs_to_organization ||
-        github.event.pull_request.merged == true
+        github.actor == github.repository_owner
       }}
     permissions:
       id-token: write
@@ -89,14 +96,8 @@ jobs:
       TARGET_ARTIFACT_NAME: ${{ matrix.os }}-${{ matrix.version }}-${{ matrix.platform.name }}-fse-${{ matrix.release }}-artifact
       UPLOAD_BUILD_ARTIFACTS: >-
         ${{
-          (github.event.pull_request.head.repo.full_name == github.repository) &&
-          (
-            (
-              github.event_name != 'pull_request' &&
-              github.event_name != 'workflow_dispatch'
-            ) ||
-            (github.event_name == 'workflow_dispatch' && inputs.publish)
-          )
+          (github.event_name == 'push') ||
+          (github.event_name == 'workflow_dispatch' && inputs.publish)
         }}
     secrets:
       GH_BOT_DEPLOY_TOKEN: ${{ secrets.PAT }}
@@ -144,14 +145,8 @@ jobs:
       TARGET_ARTIFACT_NAME: ${{ matrix.os }}-${{ matrix.version }}-${{ matrix.platform.name }}-public-${{ matrix.release }}-artifact
       UPLOAD_BUILD_ARTIFACTS: >-
         ${{
-          (github.event.pull_request.head.repo.full_name == github.repository) &&
-          (
-            (
-              github.event_name != 'pull_request' &&
-              github.event_name != 'workflow_dispatch'
-            ) ||
-            (github.event_name == 'workflow_dispatch' && inputs.publish)
-          )
+          (github.event_name == 'push') ||
+          (github.event_name == 'workflow_dispatch' && inputs.publish)
         }}
     secrets:
       GH_BOT_DEPLOY_TOKEN: ${{ secrets.PAT }}
