Run CI on fork pull requests

[helizaga]

Partial revert of #179, which skipped all CI jobs for fork PRs. Since then every external contribution merges with zero ShellCheck/BATS coverage — #183 came from a fork and showed green with only the CodeRabbit check, so I had to run the suite locally before merging.

The secret-exposure concern in #179 doesn't apply to this workflow. lint.yml runs on plain pull_request, and GitHub never passes repository secrets to fork-PR pull_request runs and hands them a read-only GITHUB_TOKEN. That risk is specific to pull_request_target, which we don't use. The only secret-bearing workflow (homebrew.yml, HOMEBREW_TAP_TOKEN) triggers on release and workflow_dispatch, neither reachable from a fork PR.

What remains is runner compute abuse, and GitHub's built-in approval gate already covers it: first-time contributors need a maintainer to click "Approve and run" before any workflow executes. If we want that for every outside contributor, it's Settings → Actions → General → "Require approval for all outside collaborators", no workflow changes needed.

cc @harjotgill since #179 was yours — happy to adjust if there's a threat model here I'm missing.

Summary by CodeRabbit

• Chores
  • Updated continuous integration workflow to adjust when certain jobs execute, allowing them to run in more scenarios.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 2ab56803-0f34-4a57-a068-c71c32059b6e

📥 Commits

Reviewing files that changed from the base of the PR and between ad7a3c5 and c2ae136.

📒 Files selected for processing (1)

• .github/workflows/lint.yml

💤 Files with no reviewable changes (1)

• .github/workflows/lint.yml

---

Walkthrough

The lint workflow's shellcheck, completions, and test jobs have their fork-detection conditional guards removed, allowing all three jobs to run without conditional gating for push and pull request events.

Changes

Lint workflow fork guards removal

Layer / File(s)	Summary
Remove fork-detection conditions from lint jobs .github/workflows/lint.yml	Three parallel deletions remove job-level if: conditions from shellcheck, completions, and test jobs. These conditions previously prevented execution on PRs from forks. Jobs now run unconditionally when triggered by push or pull_request events.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Suggested reviewers

• NatoBoram

Poem

🐰 Guards removed with a gentle touch,
Three workflows no longer flinch so much,
Forks now run with equal grace,
No gating logic wins the race!
The lint now flows for everyone. ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly reflects the main change: removing conditional gatings to enable CI job execution on fork pull requests, which matches the file-level changes that deleted job-level if: conditions.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fork-pr-ci

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[averyjennings]

Approve — no blockers.

This removes the three job-level if: fork guards from .github/workflows/lint.yml, restoring ShellCheck/Completions/BATS coverage for fork PRs. Verified it's a clean, intentional revert of #179's lint.yml change (the PR blob matches the exact pre-#179 version; #179's commit 828413f added precisely these three lines), not a stale-snapshot regression.

The security reasoning in the description holds up under inspection:

• The workflow triggers on plain pull_request, not pull_request_target — so fork runs get no repository secrets and a read-only GITHUB_TOKEN. permissions: read-all enforces read-only regardless.
• lint.yml references no secrets at all. The only secret-bearing workflow, homebrew.yml (HOMEBREW_TAP_TOKEN), triggers solely on release and workflow_dispatch — neither reachable from a fork PR.
• The three jobs only checkout, install tooling, and run linters/tests on an ephemeral runner. Residual risk is runner compute abuse, already covered by GitHub's contributor-approval gate (and the stricter "Require approval for all outside collaborators" setting noted in the description if you want it).

This is a strict improvement: previously the skipped jobs reported neutral/green, so fork PRs like #183 merged with zero real CI coverage. Now those checks actually run.