[Snyk] Fix for 2 vulnerabilities #21
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Check unallowed file changes | |
# **What it does**: If someone changes some files in the open repo, we prevent the pull request from merging. | |
# **Why we have it**: Some files can only be changed in the internal repository for security and workflow reasons. | |
# **Who does it impact**: Open source contributors. | |
on: | |
# Needed in lieu of `pull_request` so that PRs from a fork can be notified of unallowed changes. | |
pull_request_target: | |
permissions: | |
contents: read | |
pull-requests: write | |
jobs: | |
triage: | |
if: >- | |
${{ | |
github.repository == 'github/docs' && | |
github.event.pull_request.user.login != 'docs-bot' && | |
github.event.pull_request.user.login != 'dependabot[bot]' | |
}} | |
runs-on: ubuntu-latest | |
steps: | |
- name: Check out repo | |
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
- name: Get files changed | |
uses: dorny/paths-filter@0bc4621a3135347011ad047f9ecf449bf72ce2bd | |
id: filter | |
with: | |
# Base branch used to get changed files | |
base: 'main' | |
# Enables setting an output in the format in `${FILTER_NAME}_files | |
# with the names of the matching files formatted as JSON array | |
list-files: json | |
# Returns list of changed files matching each filter | |
filters: 'src/workflows/unallowed-contribution-filters.yml' | |
- name: Set up Node and dependencies | |
if: ${{ steps.filter.outputs.notAllowed || steps.filter.outputs.contentTypes}} | |
uses: ./.github/actions/node-npm-setup | |
# When there are changes to files we can't accept, leave a comment | |
# explaining this to the PR author | |
- name: "Comment about changes we can't accept" | |
if: ${{ steps.filter.outputs.notAllowed || steps.filter.outputs.contentTypes}} | |
run: npm run unallowed-contributions | |
env: | |
REPO_OWNER_AND_NAME: ${{ github.repository }} | |
PR_NUMBER: ${{ github.event.number }} | |
FILE_PATHS_NOT_ALLOWED: ${{ steps.filter.outputs.notAllowed_files }} | |
CHANGED_FILE_PATHS: ${{ steps.filter.outputs.contentTypes_files }} | |
ADDED_CONTENT_FILES: ${{ steps.filter.outputs.added_files }} | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} |