From 0c781bd2e28e068fee68adaea03b0625748eae3e Mon Sep 17 00:00:00 2001
From: Phil Dibowitz <phil@ipom.com>
Date: Tue, 2 Jun 2026 13:42:11 -0700
Subject: [PATCH] Grype cannot run on PRs as it requires secrets

Please stop enabling this garbage on PRs, it breaks the world.

Signed-off-by: Phil Dibowitz <phil@ipom.com>
---
 .github/workflows/ci-main-pull-request.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/ci-main-pull-request.yml b/.github/workflows/ci-main-pull-request.yml
index 73ea595..fb67e52 100644
--- a/.github/workflows/ci-main-pull-request.yml
+++ b/.github/workflows/ci-main-pull-request.yml
@@ -1051,7 +1051,7 @@ jobs:
 
   run-grype-hab-package-scan:
     name: 'Grype scan Habitat packages from bldr.habitat.sh'
-    if: ${{ inputs.perform-grype-hab-scan == true }}
+    if: ${{ inputs.perform-grype-hab-scan == true && github.event_name == 'push' }}
     uses: chef/common-github-actions/.github/workflows/grype-hab-package-scan.yml@main
     needs: checkout
     secrets: inherit