Merge pull request #30 from wrappid/WRPD-ci-28

ci(core): 🔧 improve PR checks
wrappid · Sep 21, 2024 · 4038884 · 4038884
2 parents 17a34be + c0d13a8
commit 4038884
Showing 1 changed file with 48 additions and 12 deletions.
diff --git a/.github/workflows/pr-guardrails.yml b/.github/workflows/pr-guardrails.yml
@@ -2,9 +2,36 @@ name    : PR Guardrails
 run-name: >
   Validating PR #${{ github.event.pull_request.number }}, opened by ${{ github.actor }}
 
-on: pull_request
+on: pull_request_target
+
+env:
+  ALLOWED_MODIFIERS: "61864488"
+  # maintainer anantakumarghosh
+  # contact: antaghosh@gmail.com
 
 jobs:
+
+  check_sensitive_files:
+    name: Check for any sensitive file modifications
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      - name: Check for sensitive file modifications
+        run: |
+          MODIFIED_FILES=$(git diff --name-only ${{ github.event.pull_request.base.sha }} ${{ github.event.pull_request.head.sha }})
+          SENSITIVE_FILES=$(echo "$MODIFIED_FILES" | grep -E '^\.github/|^LICENSE$|^CONTRIBUTING\.md$' || true)
+          if [ ! -z "$SENSITIVE_FILES" ] && [ "${{ github.event.pull_request.user.id }}" != "${{ env.ALLOWED_USERNAME }}" ]; then
+            echo "Error: Unauthorized modification of sensitive files detected:"
+            echo "$SENSITIVE_FILES"
+            echo "Only user with ID 61864488 is allowed to modify these files."
+            exit 1
+          fi
+
+
   branchname:
     name: Validate branch name
     runs-on: ubuntu-latest
@@ -32,11 +59,15 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - name: Check out branch
+      - name: Check out code
         uses: actions/checkout@v3
         with:
           fetch-depth: 0
 
+      - name: Fetch PR commits
+        run: |
+          git fetch origin +refs/pull/${{ github.event.pull_request.number }}/head:refs/remotes/origin/pr/${{ github.event.pull_request.number }}
+
       - name: Use Node.js
         uses: actions/setup-node@v3
         with:
@@ -49,7 +80,7 @@ jobs:
 
       - name: Install commitlint
         run: |
-          npm ci
+          npm i
           npm install conventional-changelog-conventionalcommits@7.0.2
 
       - name: Print versions
@@ -59,14 +90,19 @@ jobs:
           npm --version
           npx commitlint --version
 
-      - name: Run commitlint
-        run: >
-          npx commitlint
-          --from ${{ github.event.pull_request.head.sha }}~${{ github.event.pull_request.commits }}
-          --to ${{ github.event.pull_request.head.sha }}
-          --verbose
+      - name: Get commit range
+        id: commit_range
+        run: |
+          BASE_SHA=$(git merge-base ${{ github.event.pull_request.base.sha }} origin/pr/${{ github.event.pull_request.number }})
+          echo "base_sha=$BASE_SHA" >> $GITHUB_OUTPUT
+          HEAD_SHA=${{ github.event.pull_request.head.sha }}
+          echo "head_sha=$HEAD_SHA" >> $GITHUB_OUTPUT
 
-  codelint-app:
+      - name: Run commitlint
+        run: |
+          npx commitlint --from ${{ steps.commit_range.outputs.base_sha }} --to ${{ steps.commit_range.outputs.head_sha }} --verbose
+        
+  codelint_app:
     name: Validate app code style
     runs-on: ubuntu-latest
 
@@ -110,7 +146,7 @@ jobs:
         run: |
           npm run code:lint:app ${{ steps.git_diff.outputs.FILES_TO_LINT }}
 
-  codelint-service:
+  codelint_service:
     name: Validate service code style
     runs-on: ubuntu-latest
 
@@ -157,7 +193,7 @@ jobs:
   unit_tests:
     name: Run unit test cases
     runs-on: ubuntu-latest
-    needs: [branchname, commitlint, codelint-app, codelint-service]
+    needs: [branchname, commitlint, codelint_app, codelint_service]
 
     steps:
       - name: Check out branch