ci: improve filter in workflow

[NARSimoes]

Summary

• ci: improve filter in workflow

Ticket Link

https://mattermost.atlassian.net/browse/SEC-10310

Release Note

NONE

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 74b6e887-dcfe-407b-85e4-a9ddd3487b46

📥 Commits

Reviewing files that changed from the base of the PR and between e699409 and bcb2b07.

📒 Files selected for processing (1)

• .github/workflows/build-for-pr.yml

---

📝 Walkthrough

Walkthrough

This PR tightens security gates on PR-triggered build jobs in the GitHub Actions workflow. Four platform-specific jobs (Linux, Windows install-deps, Windows build, and Mac) now require pull requests to originate from the same repository as the workflow, in addition to the existing Build Apps for PR label requirement. This prevents forked PRs from triggering resource-intensive platform builds.

Changes

Build Job Security Gates

Layer / File(s)	Summary
Restrict platform builds to same-repository PRs .github/workflows/build-for-pr.yml	Linux, Windows, and Mac build jobs each add repository-origin validation (github.event.pull_request.head.repo.full_name == github.repository) to their if conditions alongside the existing label check, preventing cross-fork builds.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'ci: improve filter in workflow' directly relates to the main change: adding stricter filter conditions to PR-triggered CI workflow jobs. It accurately describes the workflow enhancement.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch nasimoes-ci-desktop-repo

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[esarafianou]

@devinbinnie with these changes, PRs from forks can no longer trigger the desktop build jobs, even if someone labels them. With this change, do we expect any friction merging community PRs? Do we get them community contributions often?

cc. @NARSimoes

[devinbinnie]

@devinbinnie with these changes, PRs from forks can no longer trigger the desktop build jobs, even if someone labels them. With this change, do we expect any friction merging community PRs? Do we get them community contributions often?

cc. @NARSimoes

Yes we still do, however this just restricts the builds from being produced, which I don't think is a huge problem. Most community contributions are reviewed by me, so I think this just means that I would have to pull the code down and build it myself, which I'm okay doing.

That said, is there a reason we're doing this or is it just for hardening?