Skip to content

[Snyk] Security upgrade node from 18.14-alpine to 18.20.5-alpine #457

[Snyk] Security upgrade node from 18.14-alpine to 18.20.5-alpine

[Snyk] Security upgrade node from 18.14-alpine to 18.20.5-alpine #457

name: Check unallowed file changes
# **What it does**: If someone changes some files in the open repo, we prevent the pull request from merging.
# **Why we have it**: Some files can only be changed in the internal repository for security and workflow reasons.
# **Who does it impact**: Open source contributors.
on:
pull_request_target:
paths:
- '.devcontainer/**'
- '.github/actions-scripts/**'
- '.github/workflows/**'
- '.github/CODEOWNERS'
- 'assets/fonts/**'
- 'data/graphql/**'
- 'Dockerfile*'
- 'src/**'
- 'lib/redirects/**'
- 'package*.json'
- 'script/**'
- 'content/actions/deployment/security-hardening-your-deployments/**'
permissions:
pull-requests: write
jobs:
triage:
if: >-
${{
github.repository == 'github/docs' &&
github.event.pull_request.user.login != 'Octomerger' &&
github.event.pull_request.user.login != 'dependabot[bot]'
}}
runs-on: ubuntu-latest
steps:
- name: Get files changed
uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50
id: filter
with:
# Base branch used to get changed files
base: 'main'
# Enables setting an output in the format in `${FILTER_NAME}_files
# with the names of the matching files formatted as JSON array
list-files: json
# Returns list of changed files matching each filter
filters: |
openapi:
- 'src/rest/data/**'
notAllowed:
- '.devcontainer/**'
- '.github/actions-scripts/**'
- '.github/workflows/**'
- '.github/CODEOWNERS'
- 'assets/fonts/**'
- 'data/graphql/**'
- 'Dockerfile*'
- 'src/**'
- 'lib/redirects/**'
- 'package*.json'
- 'scripts/**'
- 'content/actions/deployment/security-hardening-your-deployments/**'
# When there are changes to files we can't accept, leave a comment
# explaining this to the PR author
- name: "Comment about changes we can't accept"
if: ${{ steps.filter.outputs.notAllowed }}
uses: actions/github-script@98814c53be79b1d30f795b907e553d8679345975
with:
script: |
const badFilesArr = [
'.devcontainer/**',
'.github/actions-scripts/**',
'.github/workflows/**',
'.github/CODEOWNERS',
'assets/fonts/**',
'data/graphql/**',
'Dockerfile*',
'src/**',
'lib/redirects/**',
'package*.json',
'scripts/**',
'content/actions/deployment/security-hardening-your-deployments/**',
]
const badFiles = badFilesArr.join('\n')
let reviewMessage = `👋 Hey there spelunker. It looks like you've modified some files that we can't accept as contributions. The complete list of files we can't accept are:\n${badFiles}\n\nYou'll need to revert all of the files you changed in that list using [GitHub Desktop](https://docs.github.com/en/free-pro-team@latest/desktop/contributing-and-collaborating-using-github-desktop/managing-commits/reverting-a-commit) or \`git checkout origin/main <file name>\`. Once you get those files reverted, we can continue with the review process. :octocat:`
let workflowFailMessage = "It looks like you've modified some files that we can't accept as contributions."
try {
createdComment = await github.rest.issues.createComment({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: context.payload.number,
body: reviewMessage,
})
workflowFailMessage = `${workflowFailMessage} Please see ${createdComment.data.html_url} for details.`
} catch(err) {
console.log("Error creating comment.", err)
}
core.setFailed(workflowFailMessage)