mirror
/
tiangolo.fastapi
mirror of https://github.com/tiangolo/fastapi
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

🔒️ Only allow team members to modify dependencies (#15548)

pull/15553/head
Sofie Van Landeghem 3 weeks ago
committed by GitHub
parent
8106d6391d
commit
622dcdc99c
No known key found for this signature in database GPG Key ID: B5690EEEBB952194
2 changed files with 55 additions and 0 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 52
      .github/workflows/guard-dependencies.yml
  2. 3
      docs/en/docs/help-fastapi.md

52
.github/workflows/guard-dependencies.yml
View File

@ -0,0 +1,52 @@
name: Guard Dependencies
on:
pull_request_target: # zizmor: ignore[dangerous-triggers] -- This workflow only reads context.payload metadata, never checks out PR code
branches: [master]
paths:
- pyproject.toml
- uv.lock
permissions:
contents: read
issues: write
pull-requests: write
jobs:
check-author:
runs-on: ubuntu-latest
steps:
- name: Check if author is org member or allowed bot
uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
with:
script: |
const pr = context.payload.pull_request;
const author = pr.user.login;
const assoc = pr.author_association;
const botAllowlist = new Set(['dependabot[bot]']);
const orgAuthorAssociations = new Set(['MEMBER', 'OWNER']);
const allowed =
botAllowlist.has(author) ||
(assoc != null && orgAuthorAssociations.has(assoc));
if (!allowed) {
await github.rest.issues.createComment({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: context.payload.pull_request.number,
body: `This PR modifies dependency files (\`pyproject.toml\` or \`uv.lock\`), which is restricted to members of the **${context.repo.owner}** organization on GitHub.\n\nIf you need a dependency change, please [open a discussion](https://github.com/${context.repo.owner}/${context.repo.repo}/discussions/new) describing what you need and why.\n\nClosing this PR automatically.`
});
await github.rest.pulls.update({
owner: context.repo.owner,
repo: context.repo.repo,
pull_number: context.payload.pull_request.number,
state: 'closed'
});
core.setFailed('Dependency changes are restricted to organization members.');
} else {
console.log(`Author ${author} (author_association=${assoc}) is allowed to make dependency changes.`);
}

3
docs/en/docs/help-fastapi.md
View File

@ -210,6 +210,9 @@ You can [contribute](contributing.md) to the source code with Pull Requests, for
* Make sure to add tests. * Make sure to add tests.
* Make sure to add documentation if it's relevant. * Make sure to add documentation if it's relevant.
Note that PRs from non-team members are not allowed to modify `pyproject.toml` or `uv.lock`, to prevent supply chain risk.
If you would like to add a new dependency, create a new [Discussion](https://github.com/fastapi/fastapi/discussions/categories/questions) to explain why.
## Help Maintain FastAPI { #help-maintain-fastapi } ## Help Maintain FastAPI { #help-maintain-fastapi }
Help me maintain **FastAPI**! 🤓 Help me maintain **FastAPI**! 🤓

Write Preview
Loading…
Cancel
Save