fix(reusable workflows): only run harden-runner on public repos

iainlane · iainlane · commit f7d86287e834 · 2025-04-30T14:26:10.000+01:00
This is only available to us in public repositories right now, so make
this conditional for our reusable workflows.
diff --git a/.github/workflows/check-drone-signature.yaml b/.github/workflows/check-drone-signature.yaml
@@ -28,6 +28,7 @@ jobs:
       isFork: ${{ steps.check-if-fork.outputs.isFork }}
     steps:
       - name: Harden the runner (Audit all outbound calls)
+        if: ${{ ! github.event.repository.private }}
         uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
         with:
           egress-policy: audit
diff --git a/.github/workflows/publish-techdocs.yaml b/.github/workflows/publish-techdocs.yaml
@@ -57,6 +57,7 @@ jobs:
       id-token: "write"
     steps:
       - name: Harden the runner (Audit all outbound calls)
+        if: ${{ ! github.event.repository.private }}
         uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
         with:
           egress-policy: audit
diff --git a/.github/workflows/reusable-zizmor.yml b/.github/workflows/reusable-zizmor.yml
@@ -71,6 +71,7 @@ jobs:
 
     steps:
       - name: Harden the runner (Audit all outbound calls)
+        if: ${{ ! github.event.repository.private }}
         uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
         with:
           egress-policy: audit
