Skip to content

refactor: use centralized script and config for sensitive files check #139

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
palisadoes merged 4 commits into from
Feb 9, 2026
Merged

refactor: use centralized script and config for sensitive files check #139

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
b6b4539
refactor: use centralized script and config for sensitive files check
18bharathkumar Feb 8, 2026
cf96cdc
update sensitive file
18bharathkumar Feb 8, 2026
8f8486f
Update pull-request.yml
18bharathkumar Feb 8, 2026
c6a798c
Update sensitive_files.txt
18bharathkumar Feb 9, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
31 changes: 31 additions & 0 deletions .github/workflows/config/sensitive_files.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
.github/
CNAME$
static/CNAME
package.json
sidebar
docusaurus.config.js
babel.config.js
CODEOWNERS
LICENSE
./*.md
package-lock.json
tsconfig.json
pnpm-lock.yaml
.gitignore
.prettierignore
.prettierrc
^src/.*
^.gitignore$
.node-version$
.eslintrc.json$
.eslintignore$
CODEOWNERS$
LICENSE$
.coderabbit.yaml$
.*.pem$
.*.key$
.*.cert$
.*.password$
.*.secret$
.*.credentials$
Comment on lines +25 to +30
Copy link

@coderabbitai coderabbitai bot Feb 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

Credential-file patterns are incorrect regex — they match far more than intended.

.*.pem$ in regex means "any character, then anything, ending in pem" — this matches strings like my_problem, ecosystem, etc. The literal dot before the extension is not escaped.

Similarly affected: .*.key$, .*.cert$, .*.password$, .*.secret$, .*.credentials$.

🐛 Proposed fix — escape the dot before the extension 
-.*.pem$
-.*.key$
-.*.cert$
-.*.password$
-.*.secret$
-.*.credentials$
+.*\.pem$
+.*\.key$
+.*\.cert$
+.*\.password$
+.*\.secret$
+.*\.credentials$
🤖 Prompt for AI Agents 
In @.github/workflows/config/sensitive_files.txt around lines 25 - 30, The regex
patterns in the list (e.g., .* .pem$, .* .key$, .* .cert$, .* .password$, .*
.secret$, .* .credentials$) use an unescaped dot which matches any character and
thus overmatches; update each pattern to escape the literal dot before the
extension and (optionally) anchor the pattern — e.g., replace occurrences with
^.*\.pem$, ^.*\.key$, ^.*\.cert$, ^.*\.password$, ^.*\.secret$, and
^.*\.credentials$ so they only match filenames that actually end with the given
extension.

.nojekyll$
87 changes: 19 additions & 68 deletions .github/workflows/pull-request.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -82,6 +82,13 @@ jobs:
with:
fetch-depth: 0 # Fetch all history for all branches and tags

- name: Checkout centralized CI/CD scripts
uses: actions/checkout@v4
with:
repository: PalisadoesFoundation/.github
ref: main
path: .github-central
Comment on lines +85 to +90
Copy link

@coderabbitai coderabbitai bot Feb 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Pinning to ref: main is a supply chain risk.

Any push to the main branch of PalisadoesFoundation/.github could silently alter the behavior of this workflow. Pin to a specific commit SHA or a release tag to ensure reproducibility and prevent unintended breakage or compromise.

       - name: Checkout centralized CI/CD scripts
         uses: actions/checkout@v4
         with:
           repository: PalisadoesFoundation/.github
-          ref: main
+          ref: <commit-sha-or-tag>
           path: .github-central
🤖 Prompt for AI Agents 
In @.github/workflows/pull-request.yml around lines 85 - 90, The workflow
currently pins the centralized checkout to a mutable ref (ref: main) in the
actions/checkout step, which is a supply-chain risk; update that step (the
actions/checkout@v4 invocation with repository: PalisadoesFoundation/.github and
path: .github-central) to use a fixed ref such as a specific commit SHA or a
tagged release (e.g., ref: <commit-sha> or ref: refs/tags/<tag>) so the workflow
always pulls an immutable, reproducible version of the centralized CI/CD
scripts.


- name: Get PR labels
id: check-labels
env:
Expand All @@ -101,6 +108,12 @@ jobs:
echo "skip=false" >> $GITHUB_OUTPUT
fi

- name: Set up Python
if: steps.check-labels.outputs.skip != 'true'
uses: actions/setup-python@v5
with:
python-version: 3.11

- name: Get Changed Unauthorized files
if: steps.check-labels.outputs.skip != 'true'
id: changed-unauth-files
Expand All @@ -116,75 +129,13 @@ jobs:
HEAD_SHA="${{ github.event.pull_request.head.sha || github.sha }}"
BASE_SHA=$(git merge-base "${{ github.event.pull_request.base.sha }}" "$HEAD_SHA")

# Define sensitive files patterns as a bash array
SENSITIVE_PATTERNS=(
".github/"
"CNAME$"
"static/CNAME"
"package.json"
"sidebar"
"docusaurus.config.js"
"babel.config.js"
"CODEOWNERS"
"LICENSE"
"./*.md"
"package-lock.json"
"tsconfig.json"
"pnpm-lock.yaml"
Copy link
Contributor

@palisadoes palisadoes Feb 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  1. These are the only entries that must be in sensitive_files.txt
  2. You are using values that are not relevant.

".gitignore"
".prettierignore"
".prettierrc"
'^src/.*'
'^.gitignore$'
'.node-version$'
'.eslintrc.json$'
'.eslintignore$'
'CODEOWNERS$'
'LICENSE$'
'.coderabbit.yaml$'
'.*.pem$'
'.*.key$'
'.*.cert$'
'.*.password$'
'.*.secret$'
'.*.credentials$'
'.nojekyll$'
)

# Check for changes in sensitive files
CHANGED_UNAUTH_FILES=""
for pattern in "${SENSITIVE_PATTERNS[@]}"; do
FILES=$(git diff --name-only --diff-filter=ACMRD "$BASE_SHA" "$HEAD_SHA" | grep -E "$pattern" || true)
if [ ! -z "$FILES" ]; then
CHANGED_UNAUTH_FILES="$CHANGED_UNAUTH_FILES $FILES"
fi
done

# Trim and format output
CHANGED_UNAUTH_FILES=$(echo "$CHANGED_UNAUTH_FILES" | xargs)
echo "all_changed_files=$CHANGED_UNAUTH_FILES" >> $GITHUB_OUTPUT

# Check if any unauthorized files changed
if [ ! -z "$CHANGED_UNAUTH_FILES" ]; then
echo "any_changed=true" >> $GITHUB_OUTPUT
else
echo "any_changed=false" >> $GITHUB_OUTPUT
fi
# Get all changed files between base and head
mapfile -d '' ALL_CHANGED_FILES < <(git diff --name-only -z --diff-filter=ACMR "$BASE_SHA" "$HEAD_SHA")

- name: List all changed unauthorized files
if: steps.changed-unauth-files.outputs.any_changed == 'true'
env:
CHANGED_UNAUTH_FILES: ${{ steps.changed-unauth-files.outputs.all_changed_files }}
run: |
echo "::error::Unauthorized changes detected in sensitive files:"
echo ""
for file in $CHANGED_UNAUTH_FILES; do
echo "- $file"
done
echo ""
echo "To override:"
echo "Add the 'ignore-sensitive-files-pr' label to this PR."
exit 1
# Check for sensitive files using the python script
if [ ${#ALL_CHANGED_FILES[@]} -gt 0 ]; then
python3 .github-central/.github/workflows/scripts/sensitive_file_check.py --config .github/workflows/config/sensitive_files.txt --files "${ALL_CHANGED_FILES[@]}"
fi
Comment on lines +136 to +138
Copy link

@coderabbitai coderabbitai bot Feb 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick | 🔵 Trivial

No guard against Python script or config file being absent.

If the centralized-repo checkout (line 85-90) fails silently or the path changes upstream, this step will fail with a cryptic "No such file or directory" error. Consider adding a brief existence check to surface a clearer message.

Proposed improvement 
           # Check for sensitive files using the python script
           if [ ${`#ALL_CHANGED_FILES`[@]} -gt 0 ]; then
+             SCRIPT=".github-central/.github/workflows/scripts/sensitive_file_check.py"
+             CONFIG=".github/workflows/config/sensitive_files.txt"
+             if [ ! -f "$SCRIPT" ]; then
+               echo "::error::Centralized sensitive-file check script not found at $SCRIPT"
+               exit 1
+             fi
+             if [ ! -f "$CONFIG" ]; then
+               echo "::error::Sensitive files config not found at $CONFIG"
+               exit 1
+             fi
-             python3 .github-central/.github/workflows/scripts/sensitive_file_check.py --config .github/workflows/config/sensitive_files.txt --files "${ALL_CHANGED_FILES[@]}"
+             python3 "$SCRIPT" --config "$CONFIG" --files "${ALL_CHANGED_FILES[@]}"
           fi
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
if [ ${#ALL_CHANGED_FILES[@]} -gt 0 ]; then
python3 .github-central/.github/workflows/scripts/sensitive_file_check.py --config .github/workflows/config/sensitive_files.txt --files "${ALL_CHANGED_FILES[@]}"
fi
if [ ${`#ALL_CHANGED_FILES`[@]} -gt 0 ]; then
SCRIPT=".github-central/.github/workflows/scripts/sensitive_file_check.py"
CONFIG=".github/workflows/config/sensitive_files.txt"
if [ ! -f "$SCRIPT" ]; then
echo "::error::Centralized sensitive-file check script not found at $SCRIPT"
exit 1
fi
if [ ! -f "$CONFIG" ]; then
echo "::error::Sensitive files config not found at $CONFIG"
exit 1
fi
python3 "$SCRIPT" --config "$CONFIG" --files "${ALL_CHANGED_FILES[@]}"
fi
🤖 Prompt for AI Agents 
In @.github/workflows/pull-request.yml around lines 136 - 138, Add an existence
check before invoking the sensitive_file_check.py script: verify that the script
".github-central/.github/workflows/scripts/sensitive_file_check.py" and the
config ".github/workflows/config/sensitive_files.txt" both exist (and are files)
when the ALL_CHANGED_FILES array is non-empty, and if either is missing print a
clear error message identifying which path is missing and exit with non-zero
status; update the conditional around the python3 invocation that currently
references ALL_CHANGED_FILES to perform these checks and only run python3 when
both files are present.


Test-Docusaurus-Deployment:
name: Test Deployment to https://developer.palisadoes.org
Expand Down
Loading