From 6348ac58452c17629628b64183e224c72df7981e Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Fri, 6 Feb 2026 19:49:56 +0000
Subject: [PATCH 1/3] Initial plan


From fa16af116729ef2826a61508b8b77306b04efc7a Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Fri, 6 Feb 2026 19:50:55 +0000
Subject: [PATCH 2/3] Fix: Exclude fork PRs from GitHub Packages publishing

- Updated condition to check if PR is from same repository
- Added explanatory comments about security restrictions
- Fork PRs will skip publish step but still get build artifacts

Co-authored-by: jasonleenaylor <2295227+jasonleenaylor@users.noreply.github.com>
---
 .github/workflows/ci-cd.yml | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/ci-cd.yml b/.github/workflows/ci-cd.yml
index 7379a3af..1e22bcb4 100644
--- a/.github/workflows/ci-cd.yml
+++ b/.github/workflows/ci-cd.yml
@@ -91,8 +91,11 @@ jobs:
       run: dotnet nuget push artifacts/*.nupkg -s https://api.nuget.org/v3/index.json -k ${{secrets.SILLSDEV_PUBLISH_NUGET_ORG}} --skip-duplicate
       if: github.event_name == 'push' && matrix.os == 'ubuntu-22.04'
 
+    # Publish packages for pull requests from the same repository only.
+    # Fork PRs cannot authenticate to GitHub Packages due to security restrictions,
+    # but contributors can still download build artifacts from the workflow run.
     - name: Publish to Github packages
-      if: github.event_name == 'pull_request' && matrix.os == 'ubuntu-22.04'
+      if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository && matrix.os == 'ubuntu-22.04'
       run: dotnet nuget push artifacts/*.nupkg -s https://nuget.pkg.github.com/sillsdev/index.json -k ${{secrets.GITHUB_TOKEN}} --skip-duplicate
 
     - name: Publish Artifacts

From 9a637d69074088c7e8f2f665e3edc8f5216b242a Mon Sep 17 00:00:00 2001
From: Jason Naylor <jason_naylor@sil.org>
Date: Fri, 6 Feb 2026 12:57:47 -0800
Subject: [PATCH 3/3] Update the permissions to allow pushing check results

---
 .github/workflows/ci-cd.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/ci-cd.yml b/.github/workflows/ci-cd.yml
index 1e22bcb4..9e4437a7 100644
--- a/.github/workflows/ci-cd.yml
+++ b/.github/workflows/ci-cd.yml
@@ -10,6 +10,7 @@ on:
     tags: [ 'v[0-9]+*' ]
 
 permissions:
+  checks: write
   contents: read
   packages: write