mirror of
https://github.com/microsoft/vscode.git
synced 2026-04-02 16:25:00 +01:00
c7de0877e0
Bumps [octokit/request-action](https://github.com/octokit/request-action) from 2.4.0 to 3.0.0.
- [Release notes](https://github.com/octokit/request-action/releases)
- [Commits](dad4362715...b91aabaa86)
---
updated-dependencies:
- dependency-name: octokit/request-action
dependency-version: 3.0.0
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Raymond Zhao <7199958+rzhao271@users.noreply.github.com>
81 lines
4.7 KiB
YAML
81 lines
4.7 KiB
YAML
name: Prevent engineering system changes in PRs
|
|
|
|
on: pull_request
|
|
permissions: {}
|
|
|
|
jobs:
|
|
main:
|
|
name: Prevent engineering system changes in PRs
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Get file changes
|
|
uses: trilom/file-changes-action@a6ca26c14274c33b15e6499323aac178af06ad4b # v1.2.4
|
|
id: file_changes
|
|
- name: Check if engineering systems were modified
|
|
id: engineering_systems_check
|
|
run: |
|
|
if cat $HOME/files.json | jq -e 'any(test("^\\.github\\/workflows\\/|^build\\/|package\\.json$"))' > /dev/null; then
|
|
echo "engineering_systems_modified=true" >> $GITHUB_OUTPUT
|
|
echo "Engineering systems were modified in this PR"
|
|
else
|
|
echo "engineering_systems_modified=false" >> $GITHUB_OUTPUT
|
|
echo "No engineering systems were modified in this PR"
|
|
fi
|
|
- name: Allow automated distro updates
|
|
id: distro_exception
|
|
if: ${{ steps.engineering_systems_check.outputs.engineering_systems_modified == 'true' && github.event.pull_request.user.login == 'vs-code-engineering[bot]' }}
|
|
run: |
|
|
# Allow the vs-code-engineering bot ONLY when package.json is the
|
|
# sole changed file and the diff exclusively touches the "distro" field.
|
|
ONLY_PKG=$(jq -e '. == ["package.json"]' "$HOME/files.json" > /dev/null 2>&1 && echo true || echo false)
|
|
if [[ "$ONLY_PKG" != "true" ]]; then
|
|
echo "Bot modified files beyond package.json — not allowed"
|
|
echo "allowed=false" >> $GITHUB_OUTPUT
|
|
exit 0
|
|
fi
|
|
|
|
DIFF=$(gh pr diff ${{ github.event.pull_request.number }} --repo ${{ github.repository }}) || {
|
|
echo "Failed to fetch PR diff — not allowed"
|
|
echo "allowed=false" >> $GITHUB_OUTPUT
|
|
exit 0
|
|
}
|
|
CHANGED_LINES=$(echo "$DIFF" | grep -E '^[+-]' | grep -vE '^(\+\+\+|---)' | wc -l)
|
|
DISTRO_LINES=$(echo "$DIFF" | grep -cE '^[+-][[:space:]]*"distro"[[:space:]]*:' || true)
|
|
|
|
if [[ "$CHANGED_LINES" -eq 2 && "$DISTRO_LINES" -eq 2 ]]; then
|
|
echo "Distro-only update by bot — allowing"
|
|
echo "allowed=true" >> $GITHUB_OUTPUT
|
|
else
|
|
echo "Bot changed more than the distro field — not allowed"
|
|
echo "allowed=false" >> $GITHUB_OUTPUT
|
|
fi
|
|
env:
|
|
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
- name: Prevent Copilot from modifying engineering systems
|
|
if: ${{ steps.engineering_systems_check.outputs.engineering_systems_modified == 'true' && steps.distro_exception.outputs.allowed != 'true' && github.event.pull_request.user.login == 'Copilot' }}
|
|
run: |
|
|
echo "Copilot is not allowed to modify .github/workflows, build folder files, or package.json files."
|
|
echo "If you need to update engineering systems, please do so manually or through authorized means."
|
|
exit 1
|
|
- uses: octokit/request-action@b91aabaa861c777dcdb14e2387e30eddf04619ae # v3.0.0
|
|
id: get_permissions
|
|
if: ${{ steps.engineering_systems_check.outputs.engineering_systems_modified == 'true' && steps.distro_exception.outputs.allowed != 'true' && github.event.pull_request.user.login != 'Copilot' }}
|
|
with:
|
|
route: GET /repos/microsoft/vscode/collaborators/${{ github.event.pull_request.user.login }}/permission
|
|
env:
|
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
- name: Set control output variable
|
|
id: control
|
|
if: ${{ steps.engineering_systems_check.outputs.engineering_systems_modified == 'true' && steps.distro_exception.outputs.allowed != 'true' && github.event.pull_request.user.login != 'Copilot' }}
|
|
run: |
|
|
echo "user: ${{ github.event.pull_request.user.login }}"
|
|
echo "role: ${{ fromJson(steps.get_permissions.outputs.data).permission }}"
|
|
echo "is dependabot: ${{ github.event.pull_request.user.login == 'dependabot[bot]' }}"
|
|
echo "should_run: ${{ !contains(fromJson('["admin", "maintain", "write"]'), fromJson(steps.get_permissions.outputs.data).permission) }}"
|
|
echo "should_run=${{ !contains(fromJson('["admin", "maintain", "write"]'), fromJson(steps.get_permissions.outputs.data).permission) && github.event.pull_request.user.login != 'dependabot[bot]' }}" >> $GITHUB_OUTPUT
|
|
- name: Check for engineering system changes
|
|
if: ${{ steps.engineering_systems_check.outputs.engineering_systems_modified == 'true' && steps.distro_exception.outputs.allowed != 'true' && steps.control.outputs.should_run == 'true' }}
|
|
run: |
|
|
echo "Changes to .github/workflows/, build/ folder files, or package.json files aren't allowed in PRs."
|
|
exit 1
|