.github/workflows/security-analysis.yml

name: "Flag the PRs touching security related code"

on:
    pull_request:
        branches: [ v2.x.x, v3.x.x ]

jobs:
    analyze:
        name: Identify security related PR
        runs-on: ubuntu-latest
        timeout-minutes: 20
        permissions: write-all

        steps:
            - uses: actions/github-script@v7
              with:
                script: |
                    const owner = "zowe";
                    const repository = "api-layer";
                    const prNumber = ${{ github.event.pull_request.number }};
                    const { data } = await github.rest.pulls.listFiles({
                                                owner: owner,
                                                repo: repository,
                                                pull_number: prNumber
                                        });
                    let isRisky = false;

                    data.forEach(file => {
                       if(file.filename.indexOf("security") !== -1) {
                           isRisky = true;
                       }
                    });

                    if(isRisky) {
                       await github.rest.issues.addLabels({
                           owner,
                           repo: repository,
                           issue_number: prNumber,
                           labels: ['Sensitive']
                       });
                    }