Bandit and SonarQube action runs on forks

[marcus-oscarsson]

It turns out that the current if statement in the Bandit and SonarQube action does not prevent the execution of the workflow on forks for instance on simple push events.

See: https://github.com/rhfogh/mxcubecore/actions/runs/16672531426/workflow#L61

The easiest fix would probably be to do the following:

if: github.repository == 'mxcube/mxcubecore'

The current check only checks if the PR is from the same repository but not that its from the "canonical" mxcubecore repository. There does not seem to be a way of checking that without hard coding the name like above (at least as far as I could see).

[walesch-yan]

This has been tested and the problem is that github.repository seems to represent the target repo, so if a PR is opened from a fork to mxcube/mxcubecore, the workflow will still run.

There is a possibility to use github.event.pull_request.base.repo.full_name, which represents the name of the repo from which the PR originates from so we can either check if it equals github.repository (base repo and target are the same) or directly compare it to mxcube/mxcubecore.

I tend to the later option, as workflows are copied to forks as well and this makes sure that it only runs on the original repo.

1 remaining problem is that on pushes, there is no way to distinguish between a fork and the original repo (at least that I know of)