Add repository guards to deployment workflows (#877)

- Guard deploy-docs job to only run in canonical repository
- Guard goreleaser job to only run in canonical repository
- Guard update-homebrew job to only run in canonical repository
- Guard test-pypi job to only run in canonical repository

Prevents fork workflows from attempting to deploy, release, or publish to external services.

.github/workflows/deploy-docs.yml

@@ -83,6 +83,8 @@ jobs:
           path: website/build
 
   deploy:
+    # Guard: deploy should only run in the canonical repository (not in forks)
+    if: ${{ github.repository == 'steveyegge/beads' }}
     environment:
       name: github-pages
       url: ${{ steps.deployment.outputs.page_url }}

.github/workflows/release.yml

@@ -15,6 +15,8 @@ permissions:
 
 jobs:
   goreleaser:
+    # Guard: only run goreleaser in the canonical repository (not in forks)
+    if: ${{ github.repository == 'steveyegge/beads' }}
     runs-on: ubuntu-latest
     steps:
       - name: Checkout

.github/workflows/test-pypi.yml

@@ -5,6 +5,8 @@ on:
 
 jobs:
   test-publish:
+    # Guard: only allow test PyPI publish runs in the canonical repository
+    if: ${{ github.repository == 'steveyegge/beads' }}
     runs-on: ubuntu-latest
     steps:
       - name: Checkout

.github/workflows/update-homebrew.yml

@@ -14,6 +14,8 @@ permissions:
 
 jobs:
   update-formula:
+    # Guard: only run homebrew update in the canonical repository (not in forks)
+    if: ${{ github.repository == 'steveyegge/beads' }}
     runs-on: ubuntu-latest
     steps:
       - name: Checkout beads repo