[Snyk] Security upgrade node from 18.14-alpine to 18.20.5-alpine #457
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Check unallowed file changes | |
# **What it does**: If someone changes some files in the open repo, we prevent the pull request from merging. | |
# **Why we have it**: Some files can only be changed in the internal repository for security and workflow reasons. | |
# **Who does it impact**: Open source contributors. | |
on: | |
pull_request_target: | |
paths: | |
- '.devcontainer/**' | |
- '.github/actions-scripts/**' | |
- '.github/workflows/**' | |
- '.github/CODEOWNERS' | |
- 'assets/fonts/**' | |
- 'data/graphql/**' | |
- 'Dockerfile*' | |
- 'src/**' | |
- 'lib/redirects/**' | |
- 'package*.json' | |
- 'script/**' | |
- 'content/actions/deployment/security-hardening-your-deployments/**' | |
permissions: | |
pull-requests: write | |
jobs: | |
triage: | |
if: >- | |
${{ | |
github.repository == 'github/docs' && | |
github.event.pull_request.user.login != 'Octomerger' && | |
github.event.pull_request.user.login != 'dependabot[bot]' | |
}} | |
runs-on: ubuntu-latest | |
steps: | |
- name: Get files changed | |
uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 | |
id: filter | |
with: | |
# Base branch used to get changed files | |
base: 'main' | |
# Enables setting an output in the format in `${FILTER_NAME}_files | |
# with the names of the matching files formatted as JSON array | |
list-files: json | |
# Returns list of changed files matching each filter | |
filters: | | |
openapi: | |
- 'src/rest/data/**' | |
notAllowed: | |
- '.devcontainer/**' | |
- '.github/actions-scripts/**' | |
- '.github/workflows/**' | |
- '.github/CODEOWNERS' | |
- 'assets/fonts/**' | |
- 'data/graphql/**' | |
- 'Dockerfile*' | |
- 'src/**' | |
- 'lib/redirects/**' | |
- 'package*.json' | |
- 'scripts/**' | |
- 'content/actions/deployment/security-hardening-your-deployments/**' | |
# When there are changes to files we can't accept, leave a comment | |
# explaining this to the PR author | |
- name: "Comment about changes we can't accept" | |
if: ${{ steps.filter.outputs.notAllowed }} | |
uses: actions/github-script@98814c53be79b1d30f795b907e553d8679345975 | |
with: | |
script: | | |
const badFilesArr = [ | |
'.devcontainer/**', | |
'.github/actions-scripts/**', | |
'.github/workflows/**', | |
'.github/CODEOWNERS', | |
'assets/fonts/**', | |
'data/graphql/**', | |
'Dockerfile*', | |
'src/**', | |
'lib/redirects/**', | |
'package*.json', | |
'scripts/**', | |
'content/actions/deployment/security-hardening-your-deployments/**', | |
] | |
const badFiles = badFilesArr.join('\n') | |
let reviewMessage = `👋 Hey there spelunker. It looks like you've modified some files that we can't accept as contributions. The complete list of files we can't accept are:\n${badFiles}\n\nYou'll need to revert all of the files you changed in that list using [GitHub Desktop](https://docs.github.com/en/free-pro-team@latest/desktop/contributing-and-collaborating-using-github-desktop/managing-commits/reverting-a-commit) or \`git checkout origin/main <file name>\`. Once you get those files reverted, we can continue with the review process. :octocat:` | |
let workflowFailMessage = "It looks like you've modified some files that we can't accept as contributions." | |
try { | |
createdComment = await github.rest.issues.createComment({ | |
owner: context.repo.owner, | |
repo: context.repo.repo, | |
issue_number: context.payload.number, | |
body: reviewMessage, | |
}) | |
workflowFailMessage = `${workflowFailMessage} Please see ${createdComment.data.html_url} for details.` | |
} catch(err) { | |
console.log("Error creating comment.", err) | |
} | |
core.setFailed(workflowFailMessage) |