move unapproved static checks to a separate workflow (#2618)

isegall-da · web-flow · commit 548f03b79aa2 · 2025-10-13T12:15:06.000Z
Signed-off-by: Itai Segall &lt;itai.segall@digitalasset.com&gt;
diff --git a/.github/workflows/build.static_tests.yml b/.github/workflows/build.static_tests.yml
@@ -9,6 +9,10 @@ on:
       self_hosted:
         type: boolean
         required: true
+      skip_todo_check:
+        type: boolean
+        required: false
+        default: false
 
 jobs:
   static_tests:
@@ -53,6 +57,7 @@ jobs:
 
       - name: Checking TODOs
         uses: ./.github/actions/nix/run_bash_command_in_nix
+        if: ${{ inputs.skip_todo_check == false }}
         with:
           cmd: |
             echo "PR number: $CIRCLE_PULL_REQUEST"
diff --git a/.github/workflows/pr_non_contributors.yml b/.github/workflows/pr_non_contributors.yml
@@ -32,17 +32,3 @@ jobs:
     needs: env_hold
     with:
       commit_sha: ${{ github.event.pull_request.head.sha }}
-
-  # Note: unapproved runs must not be granted access to secrets, and must not run on self-hosted runners
-  no_approval_static_tests:
-    name: Static Tests (No Approval Required)
-    uses: ./.github/workflows/build.static_tests.yml
-    if: github.event.pull_request.head.repo.full_name != github.event.pull_request.base.repo.full_name
-    secrets: {} # Explcitly do not grant access to secrets
-    permissions:
-      contents: read
-      pull-requests: read # Required for the static tests
-      issues: read # Required for the static tests
-    with:
-      self_hosted: false
-      commit_sha: ${{ github.event.pull_request.head.sha }}
diff --git a/.github/workflows/pr_static_checks.yml b/.github/workflows/pr_static_checks.yml
@@ -0,0 +1,23 @@
+name: Static checks for PRs from forks (No Approval Required)
+on:
+  # unapproved runs must be on: pull_request, to prevent cache pollution on main
+  pull_request:
+    types: [ opened, synchronize, reopened ]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.head.ref }}
+  cancel-in-progress: true
+
+jobs:
+  # Note: unapproved runs must not be granted access to secrets, and must not run on self-hosted runners
+  no_approval_static_tests:
+    name: Static Tests
+    uses: ./.github/workflows/build.static_tests.yml
+    if: github.event.pull_request.head.repo.full_name != github.event.pull_request.base.repo.full_name
+    secrets: {} # Explcitly do not grant access to secrets
+    permissions:
+      contents: read
+    with:
+      self_hosted: false
+      commit_sha: ${{ github.event.pull_request.head.sha }}
+      skip_todo_check: true # runs from forks with on: pull_request run in context of the fork, so issue references will be broken
