Continuous Integration/Test attest action fails in forks because it uses pull_request

[jsoref]

https://github.com/actions/attest/actions/runs/12921612078/job/36045041753?pr=203

Run ./
Error: Error: missing "id-token" permission. Please add "permissions: id-token: write" to your workflow.

It is possible to fix this in various ways:

• in PR checks Error: Failed to get ID token: Error message: Unable to get ACTIONS_ID_TOKEN_REQUEST_URL env variable #184 (comment)
• Unable to get ACTIONS_ID_TOKEN_REQUEST_URL env variable when PR from a fork to upstream attest-build-provenance#99 (comment)

But, it's also possible to just do something like:

 on:
   pull_request:
     branches:
       - main
   push:
-    branches:
-      - main
-      - 'releases/*'
+    # no constraints for push, otherwise there's no CI for PRs from forks which is problematic
 permissions: {}
 
 jobs:
   test-typescript:
     name: TypeScript Tests
     runs-on: ubuntu-latest
     permissions:
       contents: read
 
     steps:
       - name: Checkout
         id: checkout
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
       - name: Setup Node.js
         id: setup-node
         uses: actions/setup-node@b39b52d1213e96004bfcb1c61a8a6fa8ab84f3e8 # v4.0.1
         with:
           node-version-file: .node-version
           cache: npm
 
       - name: Install Dependencies
         id: npm-ci
         run: npm ci
 
       - name: Check Format
         id: npm-format-check
         run: npm run format:check
 
       - name: Lint
         id: npm-lint
         run: npm run lint
 
       - name: Test
         id: npm-ci-test
         run: npm run ci-test
 
   test-attest:
     name: Test attest action
     runs-on: ubuntu-latest
     permissions:
       contents: read
       attestations: write
       id-token: write
     env:
       SUBJECT: /repos/${{ github.repository }}/tarball/${{ github.sha }}
     steps:
       - name: Checkout
         id: checkout
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - name: Calculate subject digest
         id: subject
         env:
           GH_TOKEN: ${{ github.token }}
         run: |
           SHA_256=$(gh api "${{ env.SUBJECT }}" | shasum -a 256 | cut -d " " -f 1)
           echo "sha-256=${SHA_256}" >> "$GITHUB_OUTPUT"
+      - name: Skip for PRs from forks
+        shell: bash
+        id: skip
+        if: github.event_name != 'push' || github.pull_request.head.user.login != github.pull_request.base.user.login
+        run: |
+          echo '::warning title=Test attest action skipped::Testing action requires permissions and isn't done for PRs from forks.'
+          echo 'skip=1' >> "$GITHUB_OUTPUT"
       - name: Run attest
         id: attest
+        if: ${{ ! steps.skip.outputs.skip }}
         env:
           INPUT_PRIVATE-SIGNING: 'true'
         uses: ./
         with:
           subject-name: 'https://api.github.com${{ env.SUBJECT }}'
           subject-digest: 'sha256:${{ steps.subject.outputs.sha-256 }}'
           predicate-type: 'https://in-toto.io/attestation/release/v0.1'
           predicate:
             '{"purl":"pkg:github/${{ github.repository }}@${{ github.sha }}"}'