From 69bc02d4ad822dc7f6dd5b4a5fba17e6f5970738 Mon Sep 17 00:00:00 2001
From: anantakumarghosh <antaghosh@gmail.com>
Date: Sat, 21 Sep 2024 17:58:19 +0530
Subject: [PATCH] ci(core): :wrench: improve PR checks

improve PR checks for external contributors

ref: #28
---
 .github/workflows/pr-guardrails.yml | 53 +++++++++++++++++++++++------
 1 file changed, 42 insertions(+), 11 deletions(-)

diff --git a/.github/workflows/pr-guardrails.yml b/.github/workflows/pr-guardrails.yml
index e6042f2..64baf5e 100644
--- a/.github/workflows/pr-guardrails.yml
+++ b/.github/workflows/pr-guardrails.yml
@@ -5,6 +5,28 @@ run-name: >
 on: pull_request
 
 jobs:
+
+  check_sensitive_files:
+    name: Check for sensitive file modifications
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      - name: Check for sensitive file modifications
+        run: |
+          MODIFIED_FILES=$(git diff --name-only ${{ github.event.pull_request.base.sha }} ${{ github.event.pull_request.head.sha }})
+          SENSITIVE_FILES=$(echo "$MODIFIED_FILES" | grep -E '^\.github/|^LICENSE$|^CONTRIBUTING\.md$' || true)
+          if [ ! -z "$SENSITIVE_FILES" ] && [ "${{ github.event.pull_request.user.id }}" != "${{ env.ALLOWED_USERNAME }}" ]; then
+            echo "Error: Unauthorized modification of sensitive files detected:"
+            echo "$SENSITIVE_FILES"
+            echo "Only user with ID 61864488 is allowed to modify these files."
+            exit 1
+          fi
+
+
   branchname:
     name: Validate branch name
     runs-on: ubuntu-latest
@@ -32,11 +54,15 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - name: Check out branch
+      - name: Check out code
         uses: actions/checkout@v3
         with:
           fetch-depth: 0
 
+      - name: Fetch PR commits
+        run: |
+          git fetch origin +refs/pull/${{ github.event.pull_request.number }}/head:refs/remotes/origin/pr/${{ github.event.pull_request.number }}
+
       - name: Use Node.js
         uses: actions/setup-node@v3
         with:
@@ -49,7 +75,7 @@ jobs:
 
       - name: Install commitlint
         run: |
-          npm ci
+          npm i
           npm install conventional-changelog-conventionalcommits@7.0.2
 
       - name: Print versions
@@ -59,14 +85,19 @@ jobs:
           npm --version
           npx commitlint --version
 
-      - name: Run commitlint
-        run: >
-          npx commitlint
-          --from ${{ github.event.pull_request.head.sha }}~${{ github.event.pull_request.commits }}
-          --to ${{ github.event.pull_request.head.sha }}
-          --verbose
+      - name: Get commit range
+        id: commit_range
+        run: |
+          BASE_SHA=$(git merge-base ${{ github.event.pull_request.base.sha }} origin/pr/${{ github.event.pull_request.number }})
+          echo "base_sha=$BASE_SHA" >> $GITHUB_OUTPUT
+          HEAD_SHA=${{ github.event.pull_request.head.sha }}
+          echo "head_sha=$HEAD_SHA" >> $GITHUB_OUTPUT
 
-  codelint-app:
+      - name: Run commitlint
+        run: |
+          npx commitlint --from ${{ steps.commit_range.outputs.base_sha }} --to ${{ steps.commit_range.outputs.head_sha }} --verbose
+        
+  codelint_app:
     name: Validate app code style
     runs-on: ubuntu-latest
 
@@ -110,7 +141,7 @@ jobs:
         run: |
           npm run code:lint:app ${{ steps.git_diff.outputs.FILES_TO_LINT }}
 
-  codelint-service:
+  codelint_service:
     name: Validate service code style
     runs-on: ubuntu-latest
 
@@ -157,7 +188,7 @@ jobs:
   unit_tests:
     name: Run unit test cases
     runs-on: ubuntu-latest
-    needs: [branchname, commitlint, codelint-app, codelint-service]
+    needs: [branchname, commitlint, codelint_app, codelint_service]
 
     steps:
       - name: Check out branch