From 9b3172d0bb9260feb86049b9c5add8dd5f58156b Mon Sep 17 00:00:00 2001
From: Peter Turi <peter.turi@openmeter.io>
Date: Wed, 1 Apr 2026 15:01:29 +0200
Subject: [PATCH 1/3] chore: fork CI

---
 .github/workflows/ci.yaml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index 51a6caf901..c26f0f2d1e 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -368,6 +368,8 @@ jobs:
   artifacts:
     name: Artifacts
     uses: ./.github/workflows/artifacts.yaml
+    # Skip artifact building for forks
+    if: github.event.pull_request.head.repo.full_name == github.repository
     with:
       publish: ${{ github.event_name == 'push' }}
     permissions:

From 51f51c36b4e336fc8163314c07daa570803f2363 Mon Sep 17 00:00:00 2001
From: Peter Turi <peter.turi@openmeter.io>
Date: Wed, 1 Apr 2026 15:08:04 +0200
Subject: [PATCH 2/3] feat: allow docker builds in forks

---
 .github/workflows/artifacts.yaml | 10 ++++++++--
 .github/workflows/ci.yaml        |  4 ++--
 2 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/artifacts.yaml b/.github/workflows/artifacts.yaml
index 4e61298415..b9217692a6 100644
--- a/.github/workflows/artifacts.yaml
+++ b/.github/workflows/artifacts.yaml
@@ -8,6 +8,10 @@ on:
         default: false
         required: false
         type: boolean
+      untrusted_source:
+        description: Whether the source is untrusted (e.g. running from a fork)
+        required: true
+        type: boolean
     outputs:
       container-image-name:
         description: Container image name
@@ -92,7 +96,7 @@ jobs:
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
           push: ${{ inputs.publish }}
-          save: true
+          save: ${{ not inputs.untrusted_source }}
           project: ${{ vars.DEPOT_PROJECT }}
 
       - name: Set image ref
@@ -104,6 +108,7 @@ jobs:
 
       - name: Retrieve pull token
         id: pull-token
+        if: not inputs.untrusted_source
         run: |
           PULL_TOKEN="$(depot pull-token --project ${VARS_DEPOT_PROJECT})"
           echo "token=$PULL_TOKEN" >> "$GITHUB_OUTPUT"
@@ -199,7 +204,7 @@ jobs:
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
           push: ${{ inputs.publish }}
-          save: true
+          save: ${{ not inputs.untrusted_source }}
           project: ${{ vars.DEPOT_PROJECT }}
 
       - name: Set image ref
@@ -211,6 +216,7 @@ jobs:
 
       - name: Retrieve pull token
         id: pull-token
+        if: not inputs.untrusted_source
         run: |
           PULL_TOKEN="$(depot pull-token --project ${VARS_DEPOT_PROJECT})"
           echo "token=$PULL_TOKEN" >> "$GITHUB_OUTPUT"
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index c26f0f2d1e..dddb58ef97 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -368,10 +368,10 @@ jobs:
   artifacts:
     name: Artifacts
     uses: ./.github/workflows/artifacts.yaml
-    # Skip artifact building for forks
-    if: github.event.pull_request.head.repo.full_name == github.repository
     with:
       publish: ${{ github.event_name == 'push' }}
+      # detect if the source is a fork
+      untrusted_source: ${{ github.event.pull_request.head.repo.full_name != github.repository }}
     permissions:
       contents: read
       packages: write

From 5270d8825a83a01066179b25cdd31c0cc38efb7e Mon Sep 17 00:00:00 2001
From: Peter Turi <peter.turi@openmeter.io>
Date: Wed, 1 Apr 2026 15:11:43 +0200
Subject: [PATCH 3/3] chore: forks build more

---
 .github/workflows/ci.yaml | 33 +++++++++++++++++++++++++++++++++
 1 file changed, 33 insertions(+)

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index dddb58ef97..8bf1d08fd0 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -422,6 +422,7 @@ jobs:
           persist-credentials: false
 
       - name: Create override files for quickstart
+        if: github.event.pull_request.head.repo.full_name == github.repository
         env:
           DEPOT_IMAGE_URL: ${{ needs.artifacts.outputs.container-image-url-depot }}
         run: |
@@ -443,6 +444,24 @@ jobs:
 
           cat quickstart/docker-compose.override.yaml
 
+      - name: Build as part of quickstart
+        if: github.event.pull_request.head.repo.full_name != github.repository
+        run: |
+          cat > quickstart/docker-compose.override.yaml <<EOF
+          services:
+            openmeter:
+              build: ..
+            sink-worker:
+              build: ..
+            balance-worker:
+              build: ..
+            notification-service:
+              build: ..
+            billing-worker:
+              build: ..
+            openmeter-jobs:
+              build: ..
+          EOF
       - name: Launch Docker Compose
         run: docker compose -f docker-compose.yaml -f docker-compose.override.yaml up -d
         working-directory: quickstart
@@ -514,6 +533,7 @@ jobs:
       - name: Create override files for e2e
         env:
           DEPOT_IMAGE_URL: ${{ needs.artifacts.outputs.container-image-url-depot }}
+        if: github.event.pull_request.head.repo.full_name == github.repository
         run: |
           cat > e2e/docker-compose.override.yaml <<EOF
           services:
@@ -525,6 +545,19 @@ jobs:
 
           cat e2e/docker-compose.override.yaml
 
+      - name: Build as part of e2e
+        if: github.event.pull_request.head.repo.full_name != github.repository
+        run: |
+          cat > e2e/docker-compose.override.yaml <<EOF
+          services:
+            openmeter:
+              build: ..
+            sink-worker:
+              build: ..
+          EOF
+
+          cat e2e/docker-compose.override.yaml
+
       - name: Launch Docker Compose infra
         run: docker compose -f docker-compose.infra.yaml -f docker-compose.openmeter.yaml -f docker-compose.override.yaml up -d
         working-directory: e2e