ci(actions): upgrade check-origin action

- [x] upgrade `check-origin` to exit on verification failure;
- [x] refactor workflows that depend on the `check-origin` action;

Author: rfprod

.github/actions/check-origin/action.yml

@@ -18,13 +18,17 @@ description: Checks the repository owner. The publish/deploy steps should not be
 
 inputs:
   repo-owner:
-    description: Repository owner
+    description: Repository owner.
     required: true
     default: ${{ github.repository_owner }}
   original-owner:
-    description: Original repository owner
+    description: Original repository owner.
     required: true
     default: 'rfprod'
+  bail-out:
+    description: Exit with an error code 1 if origin verification fails.
+    required: false
+    default: 'true'
 outputs:
   origin:
     description: Indicates that the repository owner is the original owner which means that it is not a fork. Has two values - 'true' if the repo owner is the original owner, 'false' if the repo owner is not the original owner, i.e. it is a fork.
@@ -39,15 +43,18 @@ runs:
       run: |
         echo "Checking repository owner..."
         ORIGIN='false'
-        if [ "$REPO_OWNER" == "$ORIGINAL_OWNER" ]; then ORIGIN='true'; fi
+        if [[ "$REPO_OWNER" == "$ORIGINAL_OWNER" ]]; then ORIGIN='true'; fi
         echo "origin=$(echo ${ORIGIN})" >> $GITHUB_OUTPUT
         echo "### :rocket: Check origin" >> $GITHUB_STEP_SUMMARY
         echo "" >> $GITHUB_STEP_SUMMARY
-        echo "| Metric | Value | " >> $GITHUB_STEP_SUMMARY
-        echo "| ------ | ----- | " >> $GITHUB_STEP_SUMMARY
-        echo "| REPO_OWNER | $REPO_OWNER |" >> $GITHUB_STEP_SUMMARY
+        echo "| Metric         | Value           | " >> $GITHUB_STEP_SUMMARY
+        echo "| -------------- | --------------- | " >> $GITHUB_STEP_SUMMARY
+        echo "| REPO_OWNER     | $REPO_OWNER     |" >> $GITHUB_STEP_SUMMARY
         echo "| ORIGINAL_OWNER | $ORIGINAL_OWNER |" >> $GITHUB_STEP_SUMMARY
-        echo "| ORIGIN | $ORIGIN |" >> $GITHUB_STEP_SUMMARY
+        echo "| BAIL_OUT       | $BAIL_OUT       |" >> $GITHUB_STEP_SUMMARY
+        echo "| ORIGIN         | $ORIGIN         |" >> $GITHUB_STEP_SUMMARY
+        if [[ "$ORIGIN" == "true" && "$BAIL_OUT" == "true" ]]; then exit 1; fi
       env:
         REPO_OWNER: ${{ inputs.repo-owner }}
         ORIGINAL_OWNER: ${{ inputs.original-owner }}
+        BAIL_OUT: ${{ inputs.bail.out }}

.github/workflows/build-docker.yml

@@ -37,6 +37,9 @@ jobs:
           compodoc: true
           cypress: true
 
+      - name: Check origin
+        uses: ./.github/actions/check-origin
+
       - name: Unit test all
         run: |
           npx nx run-many --target test --all --pass-with-no-tests --code-coverage --run-in-band --ci
@@ -57,12 +60,7 @@ jobs:
           yarn generate:changelog
           yarn e2e:report || exit 1
 
-      - name: Check repository owner
-        id: check-origin
-        uses: ./.github/actions/check-origin
-
       - name: Docker login
-        if: ${{ steps.check-origin.outputs.origin == 'true' }}
         run: yarn docker:login "$DOCKER_REGISTRY_USER" "$DOCKER_REGISTRY_ACCESS_TOKEN"
         env:
           DOCKER_REGISTRY_USER: ${{ secrets.DOCKER_REGISTRY_USER }}
@@ -77,7 +75,7 @@ jobs:
           yarn docker:build documentation
 
       - name: Docker push apps
-        if: ${{ github.event.inputs.dry-run == false && steps.check-origin.outputs.origin == 'true' }}
+        if: github.event.inputs.dry-run == false
         run: |
           yarn docker:push base
           yarn docker:push api-production

.github/workflows/deploy-apps.yml

@@ -135,7 +135,7 @@ jobs:
 
       # This job works only with a paid plan such as Blaze (https://firebase.google.com/pricing/)
       # - name: Deploy api
-      #   if: ${{ (fromJSON(needs.checks.outputs.changes).dependencies == 'true' || fromJSON(needs.checks.outputs.changes).src == 'true') && needs.checks.outputs.origin == 'true' }}
+      #   if: ${{ fromJSON(needs.checks.outputs.changes).dependencies == 'true' || fromJSON(needs.checks.outputs.changes).src == 'true' }}
       #   run: |
       #     npx nx build api --configuration firebase
       #     yarn firebase:deploy:ci:api || exit 1

.github/workflows/publish-packages.yml

@@ -87,7 +87,6 @@ jobs:
     runs-on: ubuntu-latest
 
     outputs:
-      origin: ${{ steps.check-origin.outputs.origin }}
       dry-run: ${{ steps.variables.outputs.dry-run }}
       ref: ${{ steps.variables.outputs.ref }}
       publish-client-d3-charts: ${{ steps.variables.outputs.publish-client-d3-charts }}
@@ -170,12 +169,11 @@ jobs:
         uses: ./.github/actions/setup-environment
 
       - name: Check origin
-        id: check-origin
         uses: ./.github/actions/check-origin
 
   publish-client-d3-charts:
     needs: checks
-    if: ${{ needs.checks.outputs.origin == 'true' && needs.checks.outputs.publish-client-d3-charts == 'true' }}
+    if: needs.checks.outputs.publish-client-d3-charts == 'true'
     runs-on: ubuntu-latest
 
     steps:
@@ -196,7 +194,7 @@ jobs:
 
   publish-client-guided-tour:
     needs: checks
-    if: ${{ needs.checks.outputs.origin == 'true' && needs.checks.outputs.publish-client-guided-tour == 'true' }}
+    if: needs.checks.outputs.publish-client-guided-tour == 'true'
     runs-on: ubuntu-latest
 
     steps:
@@ -217,7 +215,7 @@ jobs:
 
   publish-client-pwa-offline:
     needs: checks
-    if: ${{ needs.checks.outputs.origin == 'true' && needs.checks.outputs.publish-client-pwa-offline == 'true' }}
+    if: needs.checks.outputs.publish-client-pwa-offline == 'true'
     runs-on: ubuntu-latest
 
     steps:
@@ -238,7 +236,7 @@ jobs:
 
   publish-client-util-eliza:
     needs: checks
-    if: ${{ needs.checks.outputs.origin == 'true' && needs.checks.outputs.publish-client-util-eliza == 'true' }}
+    if: needs.checks.outputs.publish-client-util-eliza == 'true'
     runs-on: ubuntu-latest
 
     steps:
@@ -259,7 +257,7 @@ jobs:
 
   publish-backend-diagnostics:
     needs: checks
-    if: ${{ needs.checks.outputs.origin == 'true' && needs.checks.outputs.publish-backend-diagnostics == 'true' }}
+    if: needs.checks.outputs.publish-backend-diagnostics == 'true'
     runs-on: ubuntu-latest
 
     steps:

.github/workflows/trunk.yml

@@ -21,7 +21,6 @@ jobs:
     outputs:
       changes: ${{ steps.check-changes.outputs.changes }}
       deploy: ${{ steps.check-changes.outputs.deploy }}
-      origin: ${{ steps.check-origin.outputs.origin }}
 
     steps:
       - name: Checkout sources
@@ -37,7 +36,6 @@ jobs:
         uses: ./.github/actions/check-changes
 
       - name: Check origin
-        id: check-origin
         uses: ./.github/actions/check-origin
 
   trunk:
@@ -106,7 +104,7 @@ jobs:
         uses: ./.github/actions/dist-artifact-upload
 
       - name: Dispatch package publishing
-        if: ${{ needs.checks.outputs.origin == 'true' && fromJSON(needs.checks.outputs.changes).packages == 'true' }}
+        if: fromJSON(needs.checks.outputs.changes).packages == 'true'
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           REPO: ${{ github.repository }}
@@ -127,7 +125,7 @@ jobs:
 
   deploy-apps:
     needs: [checks, trunk]
-    if: ${{ needs.checks.outputs.origin == 'true' && fromJSON(needs.checks.outputs.changes).deploy == 'true' }}
+    if: fromJSON(needs.checks.outputs.changes).deploy == 'true'
     uses: ./.github/workflows/deploy-apps.yml
     secrets: inherit
     with:
@@ -138,7 +136,7 @@ jobs:
 
   publish-packages:
     needs: [checks, trunk]
-    if: ${{ needs.checks.outputs.origin == 'true' && fromJSON(needs.checks.outputs.changes).packages == 'true' }}
+    if: fromJSON(needs.checks.outputs.changes).packages == 'true'
     runs-on: ubuntu-latest
 
     permissions:

.github/workflows/validate-pr.yml

@@ -23,7 +23,6 @@ jobs:
       projects-build: ${{ steps.check-projects-build.outputs.projects }}
       changes: ${{ steps.check-changes.outputs.changes }}
       success: ${{ steps.check.outputs.success || 'true' }}
-      origin: ${{ steps.check-origin.outputs.origin }}
 
     steps:
       - name: Checkout sources
@@ -70,7 +69,6 @@ jobs:
           trunk: 'main'
 
       - name: Check origin
-        id: check-origin
         uses: ./.github/actions/check-origin
 
       - name: Set failure
@@ -272,7 +270,7 @@ jobs:
 
   publish-packages-dry-run:
     needs: checks
-    if: ${{ needs.checks.outputs.origin == 'true' && fromJSON(needs.checks.outputs.changes).packages == 'true' }}
+    if: fromJSON(needs.checks.outputs.changes).packages == 'true'
     runs-on: ubuntu-latest
 
     permissions: