From a4739998c84986e12400852d02f62307b8832c24 Mon Sep 17 00:00:00 2001
From: Reuben Bond <reuben.bond@gmail.com>
Date: Thu, 14 May 2026 11:13:17 -0700
Subject: [PATCH] Restrict maintenance workflows to upstream repo

Prevent write-capable maintenance workflows from running in forks by adding an upstream repository guard to their jobs.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 .github/workflows/generate-api-diffs.yml | 1 +
 .github/workflows/locker.yml             | 1 +
 2 files changed, 2 insertions(+)

diff --git a/.github/workflows/generate-api-diffs.yml b/.github/workflows/generate-api-diffs.yml
index f1c317f8e34..b2ee9afce34 100644
--- a/.github/workflows/generate-api-diffs.yml
+++ b/.github/workflows/generate-api-diffs.yml
@@ -11,6 +11,7 @@ permissions:
 
 jobs:
   generate-and-pr:
+    if: github.repository == 'dotnet/orleans'
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
diff --git a/.github/workflows/locker.yml b/.github/workflows/locker.yml
index 708d273c0d8..3f716f46b80 100644
--- a/.github/workflows/locker.yml
+++ b/.github/workflows/locker.yml
@@ -20,6 +20,7 @@ permissions:
 
 jobs:
   main:
+    if: github.repository == 'dotnet/orleans'
     runs-on: ubuntu-latest
     steps:
       - name: Checkout Actions