name: Block Forbidden Workflow Contribution Files on: pull_request: branches: [staged] types: [opened, synchronize, reopened] paths: - "workflows/**" permissions: contents: read pull-requests: write jobs: check-forbidden-files: runs-on: ubuntu-latest steps: - name: Checkout code uses: actions/checkout@v4 with: fetch-depth: 0 - name: Check for forbidden files in workflows/ id: check run: | # Check for YAML/lock files in workflows/ and any .github/ modifications forbidden=$(git diff --name-only --diff-filter=ACM origin/${{ github.base_ref }}...HEAD -- \ 'workflows/**/*.yml' \ 'workflows/**/*.yaml' \ 'workflows/**/*.lock.yml' \ '.github/*' \ '.github/**') if [ -n "$forbidden" ]; then echo "❌ Forbidden files detected:" echo "$forbidden" echo "files<> "$GITHUB_OUTPUT" echo "$forbidden" >> "$GITHUB_OUTPUT" echo "EOF" >> "$GITHUB_OUTPUT" exit 1 else echo "✅ No forbidden files found in workflows/" fi - name: Comment on PR if: failure() uses: marocchino/sticky-pull-request-comment@v2 with: header: workflow-forbidden-files message: | ## 🚫 Forbidden files in `workflows/` Only `.md` markdown files are accepted in the `workflows/` directory. The following are **not allowed**: - Compiled workflow files (`.yml`, `.yaml`, `.lock.yml`) — could contain untrusted Actions code - `.github/` modifications — workflow contributions must not modify repository configuration **Files that must be removed:** ``` ${{ steps.check.outputs.files }} ``` Contributors provide the workflow **source** (`.md`) only. Compilation happens downstream via `gh aw compile`. Please remove these files and push again.