-
Notifications
You must be signed in to change notification settings - Fork 5.2k
46 lines (36 loc) · 1.69 KB
/
protected-files.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
name: Protected Files
on: pull_request
env:
# Users allowed to edit protected files without failing check
user-allowed: ${{ github.event.pull_request.user.login == 'azure-sdk' }}
jobs:
protected-files:
name: Protected Files
runs-on: ubuntu-24.04
steps:
# Since check is required, the job must pass instead of being skipped
- name: User allowed
if: ${{ env.user-allowed == 'true' }}
run: echo "Account '${{ github.event.pull_request.user.login }}' is allowed to update protected files"
- uses: actions/checkout@v4
if: ${{ env.user-allowed != 'true' }}
with:
# Required since "HEAD^" is passed to Get-ChangedFiles
fetch-depth: 2
- name: Detect changes to protected files
if: ${{ env.user-allowed != 'true' }}
run: |
. eng/scripts/ChangedFiles-Functions.ps1
$protectedFiles = @("cspell.json", "cspell.yaml", "package.json", "package-lock.json", ".github/*", "eng/*")
$changedFiles = @(Get-ChangedFiles -baseCommitish HEAD^ -targetCommitish HEAD -diffFilter "")
$matchedFiles = @($changedFiles | Where-Object { $changedFile = $_; $protectedFiles | Where-Object { $changedFile -like $_ } })
if ($matchedFiles.Count -gt 0) {
foreach ($file in $matchedFiles) {
Write-Output "::error file=$file::File '$file' should only be updated by the Azure SDK team. If intentional, the PR may be merged by the Azure SDK team via bypassing the branch protections."
}
exit 1
}
else {
Write-Output "No changes to protected files: [$($protectedFiles -join ', ')]"
}
shell: pwsh