From 5e8b884cba3aee4e5b08ea7d92c12ef9f1ea5b4d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andr=C3=A9=20Ahlert?= <andre@aex.partners>
Date: Thu, 28 May 2026 04:30:37 -0300
Subject: [PATCH] ci: skip docs preview deploy steps for PRs from forks

Forks cannot push to gh-pages because PR-from-fork GITHUB_TOKEN is
read-only regardless of declared workflow permissions, causing the
docs job to fail with "Resource not accessible by integration" on
every fork PR.

Gate the three steps that need write access (Comment on PR, Build PR
preview website, Update comment) on PRs originating from this
repository so the docs job still validates the Sphinx build for fork
PRs without attempting the preview deploy.
---
 .github/workflows/docs.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
index bf95610c4..01aad6937 100644
--- a/.github/workflows/docs.yml
+++ b/.github/workflows/docs.yml
@@ -51,7 +51,7 @@ jobs:
           echo "burr.apache.org" > _build/CNAME # keep the cname file which this clobbers -- todo, unhardcode
       - name: Comment on PR
         uses: hasura/comment-progress@v2.2.0
-        if: github.ref != 'refs/heads/main'
+        if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           repository: ${{ github.repository }}
@@ -60,7 +60,7 @@ jobs:
           message: "Starting deployment of preview ⏳..."
       - name: Build PR preview website
         uses: peaceiris/actions-gh-pages@v3
-        if: github.ref != 'refs/heads/main'
+        if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
           publish_dir: _build/
@@ -75,7 +75,7 @@ jobs:
           keep_files: true # Add this line to keep existing files in the gh-pages branch
       - name: Update comment
         uses: hasura/comment-progress@v2.2.0
-        if: github.ref != 'refs/heads/main'
+        if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           repository: ${{ github.repository }}