mirror
/
tiangolo.fastapi
mirror of https://github.com/tiangolo/fastapi
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
7205 Commits
41 Branches
280 Tags
250 MiB
 
Tree: a3558be5f8
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'a3558be5f8'
${ noResults }
tiangolo.fastapi/.github/workflows/guard-dependencies.yml

53 lines
2.1 KiB
Raw Blame History

name: Guard Dependencies
on:
pull_request_target: # zizmor: ignore[dangerous-triggers] -- This workflow only reads context.payload metadata, never checks out PR code
branches: [master]
paths:
- pyproject.toml
- uv.lock
permissions:
contents: read
issues: write
pull-requests: write
jobs:
check-author:
runs-on: ubuntu-latest
timeout-minutes: 5
steps:
- name: Check if author is org member or allowed bot
uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
with:
script: |
const pr = context.payload.pull_request;
const author = pr.user.login;
const assoc = pr.author_association;
const botAllowlist = new Set(['dependabot[bot]']);
const orgAuthorAssociations = new Set(['MEMBER', 'OWNER']);
const allowed =
botAllowlist.has(author) ||
(assoc != null && orgAuthorAssociations.has(assoc));
if (!allowed) {
await github.rest.issues.createComment({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: context.payload.pull_request.number,
body: `This PR modifies dependency files (\`pyproject.toml\` or \`uv.lock\`), which is restricted to members of the **${context.repo.owner}** organization on GitHub.\n\nIf you need a dependency change, please [open a discussion](https://github.com/${context.repo.owner}/${context.repo.repo}/discussions/new) describing what you need and why.\n\nClosing this PR automatically.`
});
await github.rest.pulls.update({
owner: context.repo.owner,
repo: context.repo.repo,
pull_number: context.payload.pull_request.number,
state: 'closed'
});
core.setFailed('Dependency changes are restricted to organization members.');
} else {
console.log(`Author ${author} (author_association=${assoc}) is allowed to make dependency changes.`);
}