From c0d13a8fe87f9a494225f9ae7713d30b884f366d Mon Sep 17 00:00:00 2001
From: anantakumarghosh <antaghosh@gmail.com>
Date: Sat, 21 Sep 2024 18:11:28 +0530
Subject: [PATCH] ci(core): :wrench: improve PR checks

improve PR checks for external contributors

ref: #28
---
 .github/workflows/pr-guardrails.yml | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)

diff --git a/.github/workflows/pr-guardrails.yml b/.github/workflows/pr-guardrails.yml
index 4cd11b0..a9de854 100644
--- a/.github/workflows/pr-guardrails.yml
+++ b/.github/workflows/pr-guardrails.yml
@@ -4,8 +4,34 @@ run-name: >
 
 on: pull_request_target
 
+env:
+  ALLOWED_MODIFIERS: "61864488"
+  # maintainer anantakumarghosh
+  # contact: antaghosh@gmail.com
+
 jobs:
 
+  check_sensitive_files:
+    name: Check for any sensitive file modifications
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      - name: Check for sensitive file modifications
+        run: |
+          MODIFIED_FILES=$(git diff --name-only ${{ github.event.pull_request.base.sha }} ${{ github.event.pull_request.head.sha }})
+          SENSITIVE_FILES=$(echo "$MODIFIED_FILES" | grep -E '^\.github/|^LICENSE$|^CONTRIBUTING\.md$' || true)
+          if [ ! -z "$SENSITIVE_FILES" ] && [ "${{ github.event.pull_request.user.id }}" != "${{ env.ALLOWED_USERNAME }}" ]; then
+            echo "Error: Unauthorized modification of sensitive files detected:"
+            echo "$SENSITIVE_FILES"
+            echo "Only user with ID 61864488 is allowed to modify these files."
+            exit 1
+          fi
+
+
   branchname:
     name: Validate branch name
     runs-on: ubuntu-latest