diff --git a/.github/workflows/pr-guardrails.yml b/.github/workflows/pr-guardrails.yml index e6042f2..a9de854 100644 --- a/.github/workflows/pr-guardrails.yml +++ b/.github/workflows/pr-guardrails.yml @@ -2,9 +2,36 @@ name : PR Guardrails run-name: > Validating PR #${{ github.event.pull_request.number }}, opened by ${{ github.actor }} -on: pull_request +on: pull_request_target + +env: + ALLOWED_MODIFIERS: "61864488" + # maintainer anantakumarghosh + # contact: antaghosh@gmail.com jobs: + + check_sensitive_files: + name: Check for any sensitive file modifications + runs-on: ubuntu-latest + steps: + - name: Check out code + uses: actions/checkout@v3 + with: + fetch-depth: 0 + + - name: Check for sensitive file modifications + run: | + MODIFIED_FILES=$(git diff --name-only ${{ github.event.pull_request.base.sha }} ${{ github.event.pull_request.head.sha }}) + SENSITIVE_FILES=$(echo "$MODIFIED_FILES" | grep -E '^\.github/|^LICENSE$|^CONTRIBUTING\.md$' || true) + if [ ! -z "$SENSITIVE_FILES" ] && [ "${{ github.event.pull_request.user.id }}" != "${{ env.ALLOWED_USERNAME }}" ]; then + echo "Error: Unauthorized modification of sensitive files detected:" + echo "$SENSITIVE_FILES" + echo "Only user with ID 61864488 is allowed to modify these files." + exit 1 + fi + + branchname: name: Validate branch name runs-on: ubuntu-latest @@ -32,11 +59,15 @@ jobs: runs-on: ubuntu-latest steps: - - name: Check out branch + - name: Check out code uses: actions/checkout@v3 with: fetch-depth: 0 + - name: Fetch PR commits + run: | + git fetch origin +refs/pull/${{ github.event.pull_request.number }}/head:refs/remotes/origin/pr/${{ github.event.pull_request.number }} + - name: Use Node.js uses: actions/setup-node@v3 with: @@ -49,7 +80,7 @@ jobs: - name: Install commitlint run: | - npm ci + npm i npm install conventional-changelog-conventionalcommits@7.0.2 - name: Print versions @@ -59,14 +90,19 @@ jobs: npm --version npx commitlint --version - - name: Run commitlint - run: > - npx commitlint - --from ${{ github.event.pull_request.head.sha }}~${{ github.event.pull_request.commits }} - --to ${{ github.event.pull_request.head.sha }} - --verbose + - name: Get commit range + id: commit_range + run: | + BASE_SHA=$(git merge-base ${{ github.event.pull_request.base.sha }} origin/pr/${{ github.event.pull_request.number }}) + echo "base_sha=$BASE_SHA" >> $GITHUB_OUTPUT + HEAD_SHA=${{ github.event.pull_request.head.sha }} + echo "head_sha=$HEAD_SHA" >> $GITHUB_OUTPUT - codelint-app: + - name: Run commitlint + run: | + npx commitlint --from ${{ steps.commit_range.outputs.base_sha }} --to ${{ steps.commit_range.outputs.head_sha }} --verbose + + codelint_app: name: Validate app code style runs-on: ubuntu-latest @@ -110,7 +146,7 @@ jobs: run: | npm run code:lint:app ${{ steps.git_diff.outputs.FILES_TO_LINT }} - codelint-service: + codelint_service: name: Validate service code style runs-on: ubuntu-latest @@ -157,7 +193,7 @@ jobs: unit_tests: name: Run unit test cases runs-on: ubuntu-latest - needs: [branchname, commitlint, codelint-app, codelint-service] + needs: [branchname, commitlint, codelint_app, codelint_service] steps: - name: Check out branch