diff --git a/.github/workflows/pr-check.yml b/.github/workflows/pr-check.yml index c25ed46d..309ba086 100644 --- a/.github/workflows/pr-check.yml +++ b/.github/workflows/pr-check.yml @@ -27,4 +27,50 @@ jobs: run: npm install - name: NPM Build - run: SERVER_ROOT=https://playground.accordproject.org && NODE_OPTIONS=--max_old_space_size=8192 npm run build \ No newline at end of file + run: SERVER_ROOT=https://playground.accordproject.org && NODE_OPTIONS=--max_old_space_size=8192 npm run build + + check-sensitive-files: + name: Check for Sensitive Files + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v2 + + - name: Get Changed Files + id: get_changed_files + uses: tj-actions/changed-files@v45 + + - name: Check for Unauthorized Changes + run: | + RESTRICTED_FILES=( + ".github/workflows/" + "package.json" + "package-lock.json" + "Dockerfile" + "docker-compose.yml" + ".env.example" + ) + + UNAUTHORIZED_CHANGES="" + + for file in ${{ steps.get_changed_files.outputs.all_changed_files }}; do + for restricted in "${RESTRICTED_FILES[@]}"; do + if [[ "$file" == *"$restricted"* ]]; then + echo "❌ Unauthorized change detected: $file" + UNAUTHORIZED_CHANGES="$UNAUTHORIZED_CHANGES\n$file" + fi + done + done + + if [[ ! -z "$UNAUTHORIZED_CHANGES" ]]; then + echo -e "⛔ Unauthorized changes detected in:\n$UNAUTHORIZED_CHANGES" + exit 1 + else + echo "✅ No unauthorized changes detected. Proceeding..." + fi + shell: bash + + + + + \ No newline at end of file