From caf9938c8935c2ecef628bc691b187932130c374 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C3=89douard=20Bri=C3=A8re?= <edouard.briere@gmail.com>
Date: Mon, 30 Mar 2026 19:06:42 +0200
Subject: [PATCH] Only run on default branch, schedule, or manual dispatch

Add an early guard in entrypoint.sh that skips execution for
unsupported event types (e.g. pull_request) and for pushes to
non-default branches. Exits cleanly with a warning instead of
failing.
---
 entrypoint.sh | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/entrypoint.sh b/entrypoint.sh
index 8fa286a..7c0dbe8 100755
--- a/entrypoint.sh
+++ b/entrypoint.sh
@@ -5,6 +5,22 @@ set -euo pipefail
 cd "${GITHUB_WORKSPACE:-.}"
 git config --global --add safe.directory "${GITHUB_WORKSPACE:-.}"
 
+# ─── Guard: only run on the default branch or scheduled/manual triggers ─────────
+EVENT="${GITHUB_EVENT_NAME:-}"
+if [ "$EVENT" = "schedule" ] || [ "$EVENT" = "workflow_dispatch" ]; then
+  : # always allowed
+elif [ "$EVENT" = "push" ]; then
+  DEFAULT_BRANCH=$(git remote show origin | grep 'HEAD branch' | sed 's/.*: //')
+  CURRENT_BRANCH="${GITHUB_REF#refs/heads/}"
+  if [ "$CURRENT_BRANCH" != "$DEFAULT_BRANCH" ]; then
+    echo "::warning::Skipping: push event on '${CURRENT_BRANCH}', not the default branch '${DEFAULT_BRANCH}'."
+    exit 0
+  fi
+else
+  echo "::warning::Skipping: unsupported event '${EVENT}'. This action only runs on push to the default branch, schedule, or workflow_dispatch."
+  exit 0
+fi
+
 # ─── Helpers ────────────────────────────────────────────────────────────────────
 
 # Sanitize user-provided CLI options: allow only flags, alphanumerics, dashes,