diff --git a/.github/workflows/no-package-lock-changes.yml b/.github/workflows/no-package-lock-changes.yml index 059b1c2115f..04ea8a43a80 100644 --- a/.github/workflows/no-package-lock-changes.yml +++ b/.github/workflows/no-package-lock-changes.yml @@ -8,8 +8,28 @@ jobs: name: Prevent package-lock.json changes in PRs runs-on: ubuntu-latest steps: + - name: Get file changes + uses: trilom/file-changes-action@ce38c8ce2459ca3c303415eec8cb0409857b4272 + id: file_changes + - name: Check if lockfiles were modified + id: lockfile_check + run: | + if cat $HOME/files.json | jq -e 'any(test("package-lock\\.json$|Cargo\\.lock$"))' > /dev/null; then + echo "lockfiles_modified=true" >> $GITHUB_OUTPUT + echo "Lockfiles were modified in this PR" + else + echo "lockfiles_modified=false" >> $GITHUB_OUTPUT + echo "No lockfiles were modified in this PR" + fi + - name: Prevent Copilot from modifying lockfiles + if: ${{ steps.lockfile_check.outputs.lockfiles_modified == 'true' && github.event.pull_request.user.login == 'Copilot' }} + run: | + echo "Copilot is not allowed to modify package-lock.json or Cargo.lock files." + echo "If you need to update dependencies, please do so manually or through authorized means." + exit 1 - uses: octokit/request-action@dad4362715b7fb2ddedf9772c8670824af564f0d # v2.4.0 id: get_permissions + if: ${{ steps.lockfile_check.outputs.lockfiles_modified == 'true' && github.event.pull_request.user.login != 'Copilot' }} with: route: GET /repos/microsoft/vscode/collaborators/{username}/permission username: ${{ github.event.pull_request.user.login }} @@ -17,17 +37,15 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Set control output variable id: control + if: ${{ steps.lockfile_check.outputs.lockfiles_modified == 'true' && github.event.pull_request.user.login != 'Copilot' }} run: | echo "user: ${{ github.event.pull_request.user.login }}" echo "role: ${{ fromJson(steps.get_permissions.outputs.data).permission }}" echo "is dependabot: ${{ github.event.pull_request.user.login == 'dependabot[bot]' }}" echo "should_run: ${{ !contains(fromJson('["admin", "maintain", "write"]'), fromJson(steps.get_permissions.outputs.data).permission) }}" echo "should_run=${{ !contains(fromJson('["admin", "maintain", "write"]'), fromJson(steps.get_permissions.outputs.data).permission) && github.event.pull_request.user.login != 'dependabot[bot]' }}" >> $GITHUB_OUTPUT - - name: Get file changes - uses: trilom/file-changes-action@ce38c8ce2459ca3c303415eec8cb0409857b4272 - if: ${{ steps.control.outputs.should_run == 'true' }} - name: Check for lockfile changes - if: ${{ steps.control.outputs.should_run == 'true' }} + if: ${{ steps.lockfile_check.outputs.lockfiles_modified == 'true' && steps.control.outputs.should_run == 'true' }} run: | - cat $HOME/files.json | jq -e 'any(test("package-lock\\.json$|Cargo\\.lock$")) | not' \ - || (echo "Changes to package-lock.json/Cargo.lock files aren't allowed in PRs." && exit 1) + echo "Changes to package-lock.json/Cargo.lock files aren't allowed in PRs." + exit 1 diff --git a/.github/workflows/no-yarn-lock-changes.yml b/.github/workflows/no-yarn-lock-changes.yml index fd643cd56a9..5727d1c511c 100644 --- a/.github/workflows/no-yarn-lock-changes.yml +++ b/.github/workflows/no-yarn-lock-changes.yml @@ -8,8 +8,28 @@ jobs: name: Prevent yarn.lock changes in PRs runs-on: ubuntu-latest steps: + - name: Get file changes + uses: trilom/file-changes-action@a6ca26c14274c33b15e6499323aac178af06ad4b # v1.2.4 + id: file_changes + - name: Check if lockfiles were modified + id: lockfile_check + run: | + if cat $HOME/files.json | jq -e 'any(test("yarn\\.lock$|Cargo\\.lock$"))' > /dev/null; then + echo "lockfiles_modified=true" >> $GITHUB_OUTPUT + echo "Lockfiles were modified in this PR" + else + echo "lockfiles_modified=false" >> $GITHUB_OUTPUT + echo "No lockfiles were modified in this PR" + fi + - name: Prevent Copilot from modifying lockfiles + if: ${{ steps.lockfile_check.outputs.lockfiles_modified == 'true' && github.event.pull_request.user.login == 'Copilot' }} + run: | + echo "Copilot is not allowed to modify yarn.lock or Cargo.lock files." + echo "If you need to update dependencies, please do so manually or through authorized means." + exit 1 - uses: octokit/request-action@dad4362715b7fb2ddedf9772c8670824af564f0d # v2.4.0 id: get_permissions + if: ${{ steps.lockfile_check.outputs.lockfiles_modified == 'true' && github.event.pull_request.user.login != 'Copilot' }} with: route: GET /repos/microsoft/vscode/collaborators/{username}/permission username: ${{ github.event.pull_request.user.login }} @@ -17,17 +37,15 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Set control output variable id: control + if: ${{ steps.lockfile_check.outputs.lockfiles_modified == 'true' && github.event.pull_request.user.login != 'Copilot' }} run: | echo "user: ${{ github.event.pull_request.user.login }}" echo "role: ${{ fromJson(steps.get_permissions.outputs.data).permission }}" echo "is dependabot: ${{ github.event.pull_request.user.login == 'dependabot[bot]' }}" echo "should_run: ${{ !contains(fromJson('["admin", "maintain", "write"]'), fromJson(steps.get_permissions.outputs.data).permission) }}" echo "should_run=${{ !contains(fromJson('["admin", "maintain", "write"]'), fromJson(steps.get_permissions.outputs.data).permission) && github.event.pull_request.user.login != 'dependabot[bot]' }}" >> $GITHUB_OUTPUT - - name: Get file changes - uses: trilom/file-changes-action@a6ca26c14274c33b15e6499323aac178af06ad4b # v1.2.4 - if: ${{ steps.control.outputs.should_run == 'true' }} - name: Check for lockfile changes - if: ${{ steps.control.outputs.should_run == 'true' }} + if: ${{ steps.lockfile_check.outputs.lockfiles_modified == 'true' && steps.control.outputs.should_run == 'true' }} run: | - cat $HOME/files.json | jq -e 'any(test("yarn\\.lock$|Cargo\\.lock$")) | not' \ - || (echo "Changes to yarn.lock/Cargo.lock files aren't allowed in PRs." && exit 1) + echo "Changes to yarn.lock/Cargo.lock files aren't allowed in PRs." + exit 1