diff --git a/.github/workflows/block-workflow-yaml.yml b/.github/workflows/block-workflow-yaml.yml new file mode 100644 index 00000000..25844308 --- /dev/null +++ b/.github/workflows/block-workflow-yaml.yml @@ -0,0 +1,64 @@ +name: Block Forbidden Workflow Contribution Files + +on: + pull_request: + branches: [staged] + types: [opened, synchronize, reopened] + paths: + - "workflows/**" + +permissions: + contents: read + pull-requests: write + +jobs: + check-forbidden-files: + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Check for forbidden files in workflows/ + id: check + run: | + # Check for YAML/lock files in workflows/ and any .github/ modifications + forbidden=$(git diff --name-only --diff-filter=ACM origin/${{ github.base_ref }}...HEAD -- \ + 'workflows/**/*.yml' \ + 'workflows/**/*.yaml' \ + 'workflows/**/*.lock.yml' \ + '.github/*' \ + '.github/**') + + if [ -n "$forbidden" ]; then + echo "❌ Forbidden files detected:" + echo "$forbidden" + echo "files<> "$GITHUB_OUTPUT" + echo "$forbidden" >> "$GITHUB_OUTPUT" + echo "EOF" >> "$GITHUB_OUTPUT" + exit 1 + else + echo "✅ No forbidden files found in workflows/" + fi + + - name: Comment on PR + if: failure() + uses: marocchino/sticky-pull-request-comment@v2 + with: + header: workflow-forbidden-files + message: | + ## 🚫 Forbidden files in `workflows/` + + Only `.md` markdown files are accepted in the `workflows/` directory. The following are **not allowed**: + - Compiled workflow files (`.yml`, `.yaml`, `.lock.yml`) — could contain untrusted Actions code + - `.github/` modifications — workflow contributions must not modify repository configuration + + **Files that must be removed:** + ``` + ${{ steps.check.outputs.files }} + ``` + + Contributors provide the workflow **source** (`.md`) only. Compilation happens downstream via `gh aw compile`. + + Please remove these files and push again.