Awesome/awesome-copilot
1
0
Fork 0
mirror of https://github.com/github/awesome-copilot.git synced 2026-02-24 20:35:12 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
e83cc6efee1dc3c43c31e55e94436617912fd3c6
awesome-copilot/.github/workflows/block-workflow-yaml.yml
Bruno Borges e83cc6efee Add CI guard to block forbidden files in workflows/ 
Prevents contributors from pushing compiled YAML (.yml, .yaml, .lock.yml)
or .github/ directories into the workflows/ directory. Only .md markdown
source files are accepted — compilation happens downstream via gh aw compile.

This is a security measure to prevent malicious GitHub Actions code
from being introduced through contributed agentic workflows.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
2026-02-20 17:09:55 -08:00

65 lines
2.0 KiB
YAML
Raw Blame History

name: Block Forbidden Workflow Contribution Files
on:
pull_request:
branches: [staged]
types: [opened, synchronize, reopened]
paths:
- "workflows/**"
permissions:
contents: read
pull-requests: write
jobs:
check-forbidden-files:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Check for forbidden files in workflows/
id: check
run: |
# Check for YAML/lock files in workflows/ and any .github/ modifications
forbidden=$(git diff --name-only --diff-filter=ACM origin/${{ github.base_ref }}...HEAD -- \
'workflows/**/*.yml' \
'workflows/**/*.yaml' \
'workflows/**/*.lock.yml' \
'.github/*' \
'.github/**')
if [ -n "$forbidden" ]; then
echo "❌ Forbidden files detected:"
echo "$forbidden"
echo "files<<EOF" >> "$GITHUB_OUTPUT"
echo "$forbidden" >> "$GITHUB_OUTPUT"
echo "EOF" >> "$GITHUB_OUTPUT"
exit 1
else
echo "✅ No forbidden files found in workflows/"
fi
- name: Comment on PR
if: failure()
uses: marocchino/sticky-pull-request-comment@v2
with:
header: workflow-forbidden-files
message: |
## 🚫 Forbidden files in `workflows/`
Only `.md` markdown files are accepted in the `workflows/` directory. The following are **not allowed**:
- Compiled workflow files (`.yml`, `.yaml`, `.lock.yml`) — could contain untrusted Actions code
- `.github/` modifications — workflow contributions must not modify repository configuration
**Files that must be removed:**
```
${{ steps.check.outputs.files }}
```
Contributors provide the workflow **source** (`.md`) only. Compilation happens downstream via `gh aw compile`.
Please remove these files and push again.
Reference in New Issue View Git Blame Copy Permalink