GitHub Actions secrets aren't provided to fork pull requests. Currently the ipso-cli workflow will fail for such pull requests. It tries to push to the binary cache, but credentials (which I store as secrets) are missing, so Nix can't authenticate to the bucket. An always-failing workflow is a bad experience for contributors, so I want to avoid it.

GitHub Actions doesn't send secrets to fork pull requests because someone could propose a change to the workflow declaration that leaks the secrets. Following a similar line of reasoning, fork pull requests could propose changes that result in crap getting uploaded to the cache.

I'm tempted to only upload to the binary cache when building main. That way the binary cache consists only of artifacts that have passed review.

With separate workflows for pull requests and main, I could possibly tweak the pull request workflow to compile and test faster because it wouldn't have to do a full release build.