From 70a3578e158aca373413b2600c896d1735aeb275 Mon Sep 17 00:00:00 2001
From: s3rj1k <evasive.gyron@gmail.com>
Date: Fri, 7 Mar 2025 22:27:53 +0100
Subject: [PATCH] [GHA] Rework upload expression and add verification for nonce
 job

---
 .github/workflows/build.yml | 33 ++++++++++++++-------------------
 1 file changed, 14 insertions(+), 19 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 504e282..f6a09e1 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -21,6 +21,15 @@ concurrency:
 jobs:
   get-nonce:
     name: 'Get Nonce for token'
+    if: |
+      (
+        github.event_name == 'pull_request' &&
+        github.event.pull_request.head.repo.full_name != github.repository &&
+        !contains(github.event.pull_request.changed_files, '.github/')
+      ) ||
+      github.event_name == 'push' ||
+      github.event.pull_request.head.repo.full_name == github.repository ||
+      github.actor == github.repository_owner
     runs-on: freeswitch-org-auth-client
     outputs:
       nonce: ${{ steps.get-nonce.outputs.nonce }}
@@ -52,9 +61,7 @@ jobs:
       ${{
         github.event_name == 'push' ||
         github.event.pull_request.head.repo.full_name == github.repository ||
-        github.actor == github.repository_owner ||
-        github.actor.belongs_to_organization ||
-        github.event.pull_request.merged == true
+        github.actor == github.repository_owner
       }}
     permissions:
       id-token: write
@@ -89,14 +96,8 @@ jobs:
       TARGET_ARTIFACT_NAME: ${{ matrix.os }}-${{ matrix.version }}-${{ matrix.platform.name }}-fse-${{ matrix.release }}-artifact
       UPLOAD_BUILD_ARTIFACTS: >-
         ${{
-          (github.event.pull_request.head.repo.full_name == github.repository) &&
-          (
-            (
-              github.event_name != 'pull_request' &&
-              github.event_name != 'workflow_dispatch'
-            ) ||
-            (github.event_name == 'workflow_dispatch' && inputs.publish)
-          )
+          (github.event_name == 'push') ||
+          (github.event_name == 'workflow_dispatch' && inputs.publish)
         }}
     secrets:
       GH_BOT_DEPLOY_TOKEN: ${{ secrets.PAT }}
@@ -144,14 +145,8 @@ jobs:
       TARGET_ARTIFACT_NAME: ${{ matrix.os }}-${{ matrix.version }}-${{ matrix.platform.name }}-public-${{ matrix.release }}-artifact
       UPLOAD_BUILD_ARTIFACTS: >-
         ${{
-          (github.event.pull_request.head.repo.full_name == github.repository) &&
-          (
-            (
-              github.event_name != 'pull_request' &&
-              github.event_name != 'workflow_dispatch'
-            ) ||
-            (github.event_name == 'workflow_dispatch' && inputs.publish)
-          )
+          (github.event_name == 'push') ||
+          (github.event_name == 'workflow_dispatch' && inputs.publish)
         }}
     secrets:
       GH_BOT_DEPLOY_TOKEN: ${{ secrets.PAT }}