From b6b4539ef03eed816b7f7df1824c37e52f0b1e6c Mon Sep 17 00:00:00 2001
From: 18bharathkumar <bharathms8055@gmail.com>
Date: Sun, 8 Feb 2026 23:29:24 +0530
Subject: [PATCH 1/4] refactor: use centralized script and config for sensitive
 files check

---
 .github/workflows/config/sensitive_files.txt | 31 +++++++
 .github/workflows/pull-request.yml           | 88 +++++---------------
 2 files changed, 51 insertions(+), 68 deletions(-)
 create mode 100644 .github/workflows/config/sensitive_files.txt

diff --git a/.github/workflows/config/sensitive_files.txt b/.github/workflows/config/sensitive_files.txt
new file mode 100644
index 00000000..e77bb7a0
--- /dev/null
+++ b/.github/workflows/config/sensitive_files.txt
@@ -0,0 +1,31 @@
+.github/
+CNAME$
+static/CNAME
+package.json
+sidebar
+docusaurus.config.js
+babel.config.js
+CODEOWNERS
+LICENSE
+./*.md
+package-lock.json
+tsconfig.json
+pnpm-lock.yaml
+.gitignore
+.prettierignore
+.prettierrc
+^src/.*
+^.gitignore$
+.node-version$
+.eslintrc.json$
+.eslintignore$
+CODEOWNERS$
+LICENSE$
+.coderabbit.yaml$
+.*.pem$
+.*.key$
+.*.cert$
+.*.password$
+.*.secret$
+.*.credentials$
+.nojekyll$
diff --git a/.github/workflows/pull-request.yml b/.github/workflows/pull-request.yml
index 8e3ea477..782241e9 100644
--- a/.github/workflows/pull-request.yml
+++ b/.github/workflows/pull-request.yml
@@ -82,6 +82,13 @@ jobs:
         with:
           fetch-depth: 0 # Fetch all history for all branches and tags
 
+      - name: Checkout centralized CI/CD scripts
+        uses: actions/checkout@v4
+        with:
+          repository: PalisadoesFoundation/.github
+          ref: main
+          path: .github-central
+
       - name: Get PR labels
         id: check-labels
         env:
@@ -101,6 +108,12 @@ jobs:
             echo "skip=false" >> $GITHUB_OUTPUT
           fi
 
+      - name: Set up Python
+        if: steps.check-labels.outputs.skip != 'true'
+        uses: actions/setup-python@v5
+        with:
+          python-version: 3.11
+
       - name: Get Changed Unauthorized files
         if: steps.check-labels.outputs.skip != 'true'
         id: changed-unauth-files
@@ -116,75 +129,14 @@ jobs:
           HEAD_SHA="${{ github.event.pull_request.head.sha || github.sha }}"
           BASE_SHA=$(git merge-base "${{ github.event.pull_request.base.sha }}" "$HEAD_SHA")
 
-          # Define sensitive files patterns as a bash array
-          SENSITIVE_PATTERNS=(
-            ".github/"
-            "CNAME$"
-            "static/CNAME"
-            "package.json"
-            "sidebar"
-            "docusaurus.config.js"
-            "babel.config.js"
-            "CODEOWNERS"
-            "LICENSE" 
-            "./*.md"
-            "package-lock.json"
-            "tsconfig.json"
-            "pnpm-lock.yaml"
-            ".gitignore"
-            ".prettierignore"
-            ".prettierrc"
-            '^src/.*'
-            '^.gitignore$'
-            '.node-version$'
-            '.eslintrc.json$'
-            '.eslintignore$'
-            'CODEOWNERS$'
-            'LICENSE$'
-            '.coderabbit.yaml$'
-            '.*.pem$'
-            '.*.key$'
-            '.*.cert$'
-            '.*.password$'
-            '.*.secret$'
-            '.*.credentials$'
-            '.nojekyll$'
-          )
-
-          # Check for changes in sensitive files
-          CHANGED_UNAUTH_FILES=""
-          for pattern in "${SENSITIVE_PATTERNS[@]}"; do
-            FILES=$(git diff --name-only --diff-filter=ACMRD "$BASE_SHA" "$HEAD_SHA" | grep -E "$pattern" || true)
-            if [ ! -z "$FILES" ]; then
-              CHANGED_UNAUTH_FILES="$CHANGED_UNAUTH_FILES $FILES"
-            fi
-          done
-
-          # Trim and format output
-          CHANGED_UNAUTH_FILES=$(echo "$CHANGED_UNAUTH_FILES" | xargs)
-          echo "all_changed_files=$CHANGED_UNAUTH_FILES" >> $GITHUB_OUTPUT
-
-          # Check if any unauthorized files changed
-          if [ ! -z "$CHANGED_UNAUTH_FILES" ]; then
-            echo "any_changed=true" >> $GITHUB_OUTPUT
-          else
-            echo "any_changed=false" >> $GITHUB_OUTPUT
-          fi
+          # Get all changed files between base and head
+          mapfile -d '' ALL_CHANGED_FILES < <(git diff --name-only -z --diff-filter=ACMR "$BASE_SHA" "$HEAD_SHA")
 
-      - name: List all changed unauthorized files
-        if: steps.changed-unauth-files.outputs.any_changed == 'true'
-        env:
-          CHANGED_UNAUTH_FILES: ${{ steps.changed-unauth-files.outputs.all_changed_files }}
-        run: |
-          echo "::error::Unauthorized changes detected in sensitive files:"
-          echo ""
-          for file in $CHANGED_UNAUTH_FILES; do
-            echo "- $file"
-          done
-          echo ""
-          echo "To override:"
-          echo "Add the 'ignore-sensitive-files-pr' label to this PR."
-          exit 1
+          # Check for sensitive files using the python script
+          if [ ${#ALL_CHANGED_FILES[@]} -gt 0 ]; then
+             chmod +x .github-central/.github/workflows/scripts/sensitive_file_check.py
+             python3 .github-central/.github/workflows/scripts/sensitive_file_check.py --config .github/workflows/config/sensitive_files.txt --files "${ALL_CHANGED_FILES[@]}"
+          fi
 
   Test-Docusaurus-Deployment:
     name: Test Deployment to https://developer.palisadoes.org

From cf96cdcda4de211dc2faf89f66fa91f6807d9a69 Mon Sep 17 00:00:00 2001
From: 18bharathkumar <bharathms8055@gmail.com>
Date: Sun, 8 Feb 2026 23:44:30 +0530
Subject: [PATCH 2/4] update sensitive file

---
 .github/workflows/config/sensitive_files.txt | 55 ++++++++++++++------
 1 file changed, 38 insertions(+), 17 deletions(-)

diff --git a/.github/workflows/config/sensitive_files.txt b/.github/workflows/config/sensitive_files.txt
index e77bb7a0..5b960354 100644
--- a/.github/workflows/config/sensitive_files.txt
+++ b/.github/workflows/config/sensitive_files.txt
@@ -1,27 +1,42 @@
-.github/
-CNAME$
-static/CNAME
-package.json
-sidebar
-docusaurus.config.js
-babel.config.js
-CODEOWNERS
-LICENSE
-./*.md
-package-lock.json
-tsconfig.json
-pnpm-lock.yaml
-.gitignore
-.prettierignore
-.prettierrc
-^src/.*
+.flake8$
+.pydocstyle$
+pyproject.toml$
+.env..*$
+vitest.config.js$
+src/App.tsx$
+^.github/.*
+^.coderabbit/.*
+^.husky/.*
+^scripts/.*
+^docker/.*
+^config/.*
+^src/style/.*
+^src/assets/.*
+schema.graphql$
+package.json$
+package-lock.json$
+tsconfig.json$
 ^.gitignore$
+^env.example$
 .node-version$
 .eslintrc.json$
 .eslintignore$
+.prettierrc$
+.prettierignore$
+vite.config.ts$
 CODEOWNERS$
 LICENSE$
+setup.ts$
 .coderabbit.yaml$
+CODE_OF_CONDUCT.md$
+CODE_STYLE.md$
+CONTRIBUTING.md$
+DOCUMENTATION.md$
+INSTALLATION.md$
+ISSUE_GUIDELINES.md$
+PR_GUIDELINES.md$
+README.md$
+index.html$
 .*.pem$
 .*.key$
 .*.cert$
@@ -29,3 +44,9 @@ LICENSE$
 .*.secret$
 .*.credentials$
 .nojekyll$
+yarn.lock$
+knip.json$
+knip.deps.json$
+^docs/docusaurus.config.ts$
+^docs/sidebar..*
+CNAME$
\ No newline at end of file

From 8f8486f27d685539b6c0a4e1a03701ae8d223ead Mon Sep 17 00:00:00 2001
From: Bharath Kumar MS <165395713+18bharathkumar@users.noreply.github.com>
Date: Sun, 8 Feb 2026 23:51:36 +0530
Subject: [PATCH 3/4] Update pull-request.yml

---
 .github/workflows/pull-request.yml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/.github/workflows/pull-request.yml b/.github/workflows/pull-request.yml
index 782241e9..11f88ce9 100644
--- a/.github/workflows/pull-request.yml
+++ b/.github/workflows/pull-request.yml
@@ -134,7 +134,6 @@ jobs:
 
           # Check for sensitive files using the python script
           if [ ${#ALL_CHANGED_FILES[@]} -gt 0 ]; then
-             chmod +x .github-central/.github/workflows/scripts/sensitive_file_check.py
              python3 .github-central/.github/workflows/scripts/sensitive_file_check.py --config .github/workflows/config/sensitive_files.txt --files "${ALL_CHANGED_FILES[@]}"
           fi
 

From c6a798c42727b9fda2ee26a691c786ac06db1d31 Mon Sep 17 00:00:00 2001
From: Bharath Kumar MS <165395713+18bharathkumar@users.noreply.github.com>
Date: Mon, 9 Feb 2026 10:32:29 +0530
Subject: [PATCH 4/4] Update sensitive_files.txt

---
 .github/workflows/config/sensitive_files.txt | 55 ++++++--------------
 1 file changed, 17 insertions(+), 38 deletions(-)

diff --git a/.github/workflows/config/sensitive_files.txt b/.github/workflows/config/sensitive_files.txt
index 5b960354..e77bb7a0 100644
--- a/.github/workflows/config/sensitive_files.txt
+++ b/.github/workflows/config/sensitive_files.txt
@@ -1,42 +1,27 @@
-.flake8$
-.pydocstyle$
-pyproject.toml$
-.env..*$
-vitest.config.js$
-src/App.tsx$
-^.github/.*
-^.coderabbit/.*
-^.husky/.*
-^scripts/.*
-^docker/.*
-^config/.*
-^src/style/.*
-^src/assets/.*
-schema.graphql$
-package.json$
-package-lock.json$
-tsconfig.json$
+.github/
+CNAME$
+static/CNAME
+package.json
+sidebar
+docusaurus.config.js
+babel.config.js
+CODEOWNERS
+LICENSE
+./*.md
+package-lock.json
+tsconfig.json
+pnpm-lock.yaml
+.gitignore
+.prettierignore
+.prettierrc
+^src/.*
 ^.gitignore$
-^env.example$
 .node-version$
 .eslintrc.json$
 .eslintignore$
-.prettierrc$
-.prettierignore$
-vite.config.ts$
 CODEOWNERS$
 LICENSE$
-setup.ts$
 .coderabbit.yaml$
-CODE_OF_CONDUCT.md$
-CODE_STYLE.md$
-CONTRIBUTING.md$
-DOCUMENTATION.md$
-INSTALLATION.md$
-ISSUE_GUIDELINES.md$
-PR_GUIDELINES.md$
-README.md$
-index.html$
 .*.pem$
 .*.key$
 .*.cert$
@@ -44,9 +29,3 @@ index.html$
 .*.secret$
 .*.credentials$
 .nojekyll$
-yarn.lock$
-knip.json$
-knip.deps.json$
-^docs/docusaurus.config.ts$
-^docs/sidebar..*
-CNAME$
\ No newline at end of file