From dc915d33ea5e8450aedb1eedee918c3c7d63e6c6 Mon Sep 17 00:00:00 2001
From: TTW <peter86225@gmail.com>
Date: Thu, 5 Mar 2026 16:18:32 +0800
Subject: [PATCH 1/2] ci(.github/workflows): restrict release workflows to
 upstream repo

---
 .github/workflows/bumpversion.yml     | 2 +-
 .github/workflows/docspublish.yml     | 2 ++
 .github/workflows/homebrewpublish.yml | 4 ++--
 .github/workflows/pythonpublish.yml   | 1 +
 4 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/bumpversion.yml b/.github/workflows/bumpversion.yml
index d74ed624a7..74456068b1 100644
--- a/.github/workflows/bumpversion.yml
+++ b/.github/workflows/bumpversion.yml
@@ -7,7 +7,7 @@ on:
 
 jobs:
   bump-version:
-    if: "!startsWith(github.event.head_commit.message, 'bump:')"
+    if: github.repository == 'commitizen-tools/commitizen' && !startsWith(github.event.head_commit.message, 'bump:')
     runs-on: ubuntu-latest
     name: "Bump version and create changelog with commitizen"
     steps:
diff --git a/.github/workflows/docspublish.yml b/.github/workflows/docspublish.yml
index 2c03a099df..d6461795f6 100644
--- a/.github/workflows/docspublish.yml
+++ b/.github/workflows/docspublish.yml
@@ -8,6 +8,7 @@ on:
 
 jobs:
   update-cli-screenshots:
+    if: github.repository == 'commitizen-tools/commitizen'
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v6
@@ -46,6 +47,7 @@ jobs:
           fi
 
   publish-documentation:
+    if: github.repository == 'commitizen-tools/commitizen'
     runs-on: ubuntu-latest
     needs: update-cli-screenshots
     steps:
diff --git a/.github/workflows/homebrewpublish.yml b/.github/workflows/homebrewpublish.yml
index 0ea8eba0df..ff6eab7b35 100644
--- a/.github/workflows/homebrewpublish.yml
+++ b/.github/workflows/homebrewpublish.yml
@@ -9,7 +9,7 @@ on:
 jobs:
   deploy:
     runs-on: macos-latest
-    if: ${{ github.event.workflow_run.conclusion == 'success' }}
+    if: github.repository == 'commitizen-tools/commitizen' && github.event.workflow_run.conclusion == 'success'
     steps:
       - name: Checkout
         uses: actions/checkout@v6
@@ -23,7 +23,7 @@ jobs:
       - name: Update Homebrew formula
         uses: dawidd6/action-homebrew-bump-formula@v7
         with:
-          token: ${{secrets.PERSONAL_ACCESS_TOKEN}}
+          token: ${{ secrets.PERSONAL_ACCESS_TOKEN }}
           formula: commitizen
           tag: v${{ env.project_version }}
           force: true
diff --git a/.github/workflows/pythonpublish.yml b/.github/workflows/pythonpublish.yml
index d7bce79c4e..c6636a89d7 100644
--- a/.github/workflows/pythonpublish.yml
+++ b/.github/workflows/pythonpublish.yml
@@ -7,6 +7,7 @@ on:
 
 jobs:
   deploy:
+    if: github.repository == 'commitizen-tools/commitizen'
     runs-on: ubuntu-latest
     permissions:
       id-token: write

From ef4369e7b23bd4501c95058cf6d0c019e8f530c8 Mon Sep 17 00:00:00 2001
From: TTW <peter86225@gmail.com>
Date: Thu, 5 Mar 2026 17:45:55 +0800
Subject: [PATCH 2/2] ci(.github/workflows): use expression syntax ${{ }} for
 workflow guards

---
 .github/workflows/bumpversion.yml     | 2 +-
 .github/workflows/docspublish.yml     | 4 ++--
 .github/workflows/homebrewpublish.yml | 2 +-
 .github/workflows/pythonpublish.yml   | 2 +-
 4 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/bumpversion.yml b/.github/workflows/bumpversion.yml
index 74456068b1..0ac511afd7 100644
--- a/.github/workflows/bumpversion.yml
+++ b/.github/workflows/bumpversion.yml
@@ -7,7 +7,7 @@ on:
 
 jobs:
   bump-version:
-    if: github.repository == 'commitizen-tools/commitizen' && !startsWith(github.event.head_commit.message, 'bump:')
+    if: ${{ github.repository == 'commitizen-tools/commitizen' && !startsWith(github.event.head_commit.message, 'bump:') }}
     runs-on: ubuntu-latest
     name: "Bump version and create changelog with commitizen"
     steps:
diff --git a/.github/workflows/docspublish.yml b/.github/workflows/docspublish.yml
index d6461795f6..1862535b69 100644
--- a/.github/workflows/docspublish.yml
+++ b/.github/workflows/docspublish.yml
@@ -8,7 +8,7 @@ on:
 
 jobs:
   update-cli-screenshots:
-    if: github.repository == 'commitizen-tools/commitizen'
+    if: ${{ github.repository == 'commitizen-tools/commitizen' }}
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v6
@@ -47,7 +47,7 @@ jobs:
           fi
 
   publish-documentation:
-    if: github.repository == 'commitizen-tools/commitizen'
+    if: ${{ github.repository == 'commitizen-tools/commitizen' }}
     runs-on: ubuntu-latest
     needs: update-cli-screenshots
     steps:
diff --git a/.github/workflows/homebrewpublish.yml b/.github/workflows/homebrewpublish.yml
index ff6eab7b35..3a4d2cd3d2 100644
--- a/.github/workflows/homebrewpublish.yml
+++ b/.github/workflows/homebrewpublish.yml
@@ -9,7 +9,7 @@ on:
 jobs:
   deploy:
     runs-on: macos-latest
-    if: github.repository == 'commitizen-tools/commitizen' && github.event.workflow_run.conclusion == 'success'
+    if: ${{ github.repository == 'commitizen-tools/commitizen' && github.event.workflow_run.conclusion == 'success' }}
     steps:
       - name: Checkout
         uses: actions/checkout@v6
diff --git a/.github/workflows/pythonpublish.yml b/.github/workflows/pythonpublish.yml
index c6636a89d7..a829ef9470 100644
--- a/.github/workflows/pythonpublish.yml
+++ b/.github/workflows/pythonpublish.yml
@@ -7,7 +7,7 @@ on:
 
 jobs:
   deploy:
-    if: github.repository == 'commitizen-tools/commitizen'
+    if: ${{ github.repository == 'commitizen-tools/commitizen' }}
     runs-on: ubuntu-latest
     permissions:
       id-token: write