From 378e6bb3e1583896dcba049921f078ff0fba2047 Mon Sep 17 00:00:00 2001
From: claude-veilor-bot <279801990+s8n-ru@users.noreply.github.com>
Date: Wed, 6 May 2026 15:41:00 +0100
Subject: [PATCH] ci: gate cosign/sbom/attest steps to github only

cosign keyless sign uses Sigstore Fulcio which requires a
Fulcio-trusted OIDC issuer. Forgejo runs don't have one, so cosign
falls back to the interactive device flow and times out
(error obtaining token: expired_token). Same applies to
attest-build-provenance and the SBOM action's signed attestation.

Skip all three on Forgejo for now; ISO + sha256 are sufficient for
v0.5.x test releases. Re-add when we self-host a Sigstore stack or
sign with a key-pair instead of keyless.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 .github/workflows/build-iso.yml | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/build-iso.yml b/.github/workflows/build-iso.yml
index 9356968..5768127 100644
--- a/.github/workflows/build-iso.yml
+++ b/.github/workflows/build-iso.yml
@@ -174,12 +174,12 @@ jobs:
           ls "${ISO}".part-*
 
       - name: Install cosign
-        if: github.event_name == 'push' || github.event_name == 'workflow_dispatch'
+        if: (github.event_name == 'push' || github.event_name == 'workflow_dispatch') && github.server_url == 'https://github.com'
         # Pinned to last v3 release confirmed node20.
         uses: sigstore/cosign-installer@v3.7.0
 
       - name: Sign ISO parts (keyless)
-        if: github.event_name == 'push' || github.event_name == 'workflow_dispatch'
+        if: (github.event_name == 'push' || github.event_name == 'workflow_dispatch') && github.server_url == 'https://github.com'
         run: |
           cd build/out
           for f in *.part-*; do
@@ -189,7 +189,7 @@ jobs:
           done
 
       - name: Generate SBOM (SPDX)
-        if: github.event_name == 'push' || github.event_name == 'workflow_dispatch'
+        if: (github.event_name == 'push' || github.event_name == 'workflow_dispatch') && github.server_url == 'https://github.com'
         # Pinned to last v0.17 release that ships node20.
         uses: anchore/sbom-action@v0.17.2
         with:
@@ -198,7 +198,7 @@ jobs:
           output-file: build/out/veilor-os.spdx.json
 
       - name: Build provenance attestation
-        if: github.event_name == 'push' || github.event_name == 'workflow_dispatch'
+        if: (github.event_name == 'push' || github.event_name == 'workflow_dispatch') && github.server_url == 'https://github.com'
         # Pinned to last v2.2 release that ships node20.
         uses: actions/attest-build-provenance@v2.2.3
         with: