diff --git a/.github/workflows/config/sensitive_files.txt b/.github/workflows/config/sensitive_files.txt new file mode 100644 index 00000000..e77bb7a0 --- /dev/null +++ b/.github/workflows/config/sensitive_files.txt @@ -0,0 +1,31 @@ +.github/ +CNAME$ +static/CNAME +package.json +sidebar +docusaurus.config.js +babel.config.js +CODEOWNERS +LICENSE +./*.md +package-lock.json +tsconfig.json +pnpm-lock.yaml +.gitignore +.prettierignore +.prettierrc +^src/.* +^.gitignore$ +.node-version$ +.eslintrc.json$ +.eslintignore$ +CODEOWNERS$ +LICENSE$ +.coderabbit.yaml$ +.*.pem$ +.*.key$ +.*.cert$ +.*.password$ +.*.secret$ +.*.credentials$ +.nojekyll$ diff --git a/.github/workflows/pull-request.yml b/.github/workflows/pull-request.yml index 8e3ea477..11f88ce9 100644 --- a/.github/workflows/pull-request.yml +++ b/.github/workflows/pull-request.yml @@ -82,6 +82,13 @@ jobs: with: fetch-depth: 0 # Fetch all history for all branches and tags + - name: Checkout centralized CI/CD scripts + uses: actions/checkout@v4 + with: + repository: PalisadoesFoundation/.github + ref: main + path: .github-central + - name: Get PR labels id: check-labels env: @@ -101,6 +108,12 @@ jobs: echo "skip=false" >> $GITHUB_OUTPUT fi + - name: Set up Python + if: steps.check-labels.outputs.skip != 'true' + uses: actions/setup-python@v5 + with: + python-version: 3.11 + - name: Get Changed Unauthorized files if: steps.check-labels.outputs.skip != 'true' id: changed-unauth-files @@ -116,75 +129,13 @@ jobs: HEAD_SHA="${{ github.event.pull_request.head.sha || github.sha }}" BASE_SHA=$(git merge-base "${{ github.event.pull_request.base.sha }}" "$HEAD_SHA") - # Define sensitive files patterns as a bash array - SENSITIVE_PATTERNS=( - ".github/" - "CNAME$" - "static/CNAME" - "package.json" - "sidebar" - "docusaurus.config.js" - "babel.config.js" - "CODEOWNERS" - "LICENSE" - "./*.md" - "package-lock.json" - "tsconfig.json" - "pnpm-lock.yaml" - ".gitignore" - ".prettierignore" - ".prettierrc" - '^src/.*' - '^.gitignore$' - '.node-version$' - '.eslintrc.json$' - '.eslintignore$' - 'CODEOWNERS$' - 'LICENSE$' - '.coderabbit.yaml$' - '.*.pem$' - '.*.key$' - '.*.cert$' - '.*.password$' - '.*.secret$' - '.*.credentials$' - '.nojekyll$' - ) - - # Check for changes in sensitive files - CHANGED_UNAUTH_FILES="" - for pattern in "${SENSITIVE_PATTERNS[@]}"; do - FILES=$(git diff --name-only --diff-filter=ACMRD "$BASE_SHA" "$HEAD_SHA" | grep -E "$pattern" || true) - if [ ! -z "$FILES" ]; then - CHANGED_UNAUTH_FILES="$CHANGED_UNAUTH_FILES $FILES" - fi - done - - # Trim and format output - CHANGED_UNAUTH_FILES=$(echo "$CHANGED_UNAUTH_FILES" | xargs) - echo "all_changed_files=$CHANGED_UNAUTH_FILES" >> $GITHUB_OUTPUT - - # Check if any unauthorized files changed - if [ ! -z "$CHANGED_UNAUTH_FILES" ]; then - echo "any_changed=true" >> $GITHUB_OUTPUT - else - echo "any_changed=false" >> $GITHUB_OUTPUT - fi + # Get all changed files between base and head + mapfile -d '' ALL_CHANGED_FILES < <(git diff --name-only -z --diff-filter=ACMR "$BASE_SHA" "$HEAD_SHA") - - name: List all changed unauthorized files - if: steps.changed-unauth-files.outputs.any_changed == 'true' - env: - CHANGED_UNAUTH_FILES: ${{ steps.changed-unauth-files.outputs.all_changed_files }} - run: | - echo "::error::Unauthorized changes detected in sensitive files:" - echo "" - for file in $CHANGED_UNAUTH_FILES; do - echo "- $file" - done - echo "" - echo "To override:" - echo "Add the 'ignore-sensitive-files-pr' label to this PR." - exit 1 + # Check for sensitive files using the python script + if [ ${#ALL_CHANGED_FILES[@]} -gt 0 ]; then + python3 .github-central/.github/workflows/scripts/sensitive_file_check.py --config .github/workflows/config/sensitive_files.txt --files "${ALL_CHANGED_FILES[@]}" + fi Test-Docusaurus-Deployment: name: Test Deployment to https://developer.palisadoes.org