Detect CLIs as shell type #18463
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Prevent engineering system changes in PRs | |
| on: pull_request | |
| permissions: {} | |
| jobs: | |
| main: | |
| name: Prevent engineering system changes in PRs | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Get file changes | |
| uses: trilom/file-changes-action@a6ca26c14274c33b15e6499323aac178af06ad4b # v1.2.4 | |
| id: file_changes | |
| - name: Check if engineering systems were modified | |
| id: engineering_systems_check | |
| run: | | |
| if cat $HOME/files.json | jq -e 'any(test("^\\.github\\/workflows\\/|^build\\/|package\\.json$"))' > /dev/null; then | |
| echo "engineering_systems_modified=true" >> $GITHUB_OUTPUT | |
| echo "Engineering systems were modified in this PR" | |
| else | |
| echo "engineering_systems_modified=false" >> $GITHUB_OUTPUT | |
| echo "No engineering systems were modified in this PR" | |
| fi | |
| - name: Allow automated distro or version field updates | |
| id: bot_field_exception | |
| if: ${{ steps.engineering_systems_check.outputs.engineering_systems_modified == 'true' && github.event.pull_request.user.login == 'vs-code-engineering[bot]' }} | |
| run: | | |
| # Allow the vs-code-engineering bot ONLY when: | |
| # 1. package.json is the sole changed file and the diff exclusively | |
| # touches the "distro" or "version" field, OR | |
| # 2. package.json + package-lock.json are the only changed files and | |
| # the package.json diff exclusively touches the "version" field | |
| # (lock file updates are expected from npm install after version bump). | |
| ONLY_PKG=$(jq -e '. == ["package.json"]' "$HOME/files.json" > /dev/null 2>&1 && echo true || echo false) | |
| PKG_AND_LOCK=$(jq -e '. | sort == ["package-lock.json", "package.json"]' "$HOME/files.json" > /dev/null 2>&1 && echo true || echo false) | |
| if [[ "$ONLY_PKG" != "true" && "$PKG_AND_LOCK" != "true" ]]; then | |
| echo "Bot modified files beyond package.json (+ package-lock.json) — not allowed" | |
| echo "allowed=false" >> $GITHUB_OUTPUT | |
| exit 0 | |
| fi | |
| DIFF=$(gh pr diff ${{ github.event.pull_request.number }} --repo ${{ github.repository }}) || { | |
| echo "Failed to fetch PR diff — not allowed" | |
| echo "allowed=false" >> $GITHUB_OUTPUT | |
| exit 0 | |
| } | |
| # Extract only the package.json diff section (ignore package-lock.json changes) | |
| PKG_DIFF=$(echo "$DIFF" | awk '/^diff --git a\/package\.json b\/package\.json/{p=1} p && /^diff --git / && !/^diff --git a\/package\.json/{exit} p{print}') | |
| CHANGED_LINES=$(echo "$PKG_DIFF" | grep -E '^[+-]' | grep -vE '^(\+\+\+|---)' | wc -l) | |
| DISTRO_LINES=$(echo "$PKG_DIFF" | grep -cE '^[+-][[:space:]]*"distro"[[:space:]]*:' || true) | |
| VERSION_LINES=$(echo "$PKG_DIFF" | grep -cE '^[+-][[:space:]]*"version"[[:space:]]*:' || true) | |
| if [[ "$ONLY_PKG" == "true" && "$CHANGED_LINES" -eq 2 && ("$DISTRO_LINES" -eq 2 || "$VERSION_LINES" -eq 2) ]]; then | |
| echo "Distro-only or version-only update by bot — allowing" | |
| echo "allowed=true" >> $GITHUB_OUTPUT | |
| elif [[ "$PKG_AND_LOCK" == "true" && "$CHANGED_LINES" -eq 2 && "$VERSION_LINES" -eq 2 ]]; then | |
| echo "Version bump with lock file update by bot — allowing" | |
| echo "allowed=true" >> $GITHUB_OUTPUT | |
| else | |
| echo "Bot changed more than a single allowed field (distro or version) — not allowed" | |
| echo "allowed=false" >> $GITHUB_OUTPUT | |
| fi | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Prevent Copilot from modifying engineering systems | |
| if: ${{ steps.engineering_systems_check.outputs.engineering_systems_modified == 'true' && steps.bot_field_exception.outputs.allowed != 'true' && github.event.pull_request.user.login == 'Copilot' }} | |
| run: | | |
| echo "Copilot is not allowed to modify .github/workflows, build folder files, or package.json files." | |
| echo "If you need to update engineering systems, please do so manually or through authorized means." | |
| exit 1 | |
| - uses: octokit/request-action@b91aabaa861c777dcdb14e2387e30eddf04619ae # v3.0.0 | |
| id: get_permissions | |
| if: ${{ steps.engineering_systems_check.outputs.engineering_systems_modified == 'true' && steps.bot_field_exception.outputs.allowed != 'true' && github.event.pull_request.user.login != 'Copilot' }} | |
| with: | |
| route: GET /repos/microsoft/vscode/collaborators/${{ github.event.pull_request.user.login }}/permission | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Set control output variable | |
| id: control | |
| if: ${{ steps.engineering_systems_check.outputs.engineering_systems_modified == 'true' && steps.bot_field_exception.outputs.allowed != 'true' && github.event.pull_request.user.login != 'Copilot' }} | |
| run: | | |
| echo "user: ${{ github.event.pull_request.user.login }}" | |
| echo "role: ${{ fromJson(steps.get_permissions.outputs.data).permission }}" | |
| echo "is dependabot: ${{ github.event.pull_request.user.login == 'dependabot[bot]' }}" | |
| echo "should_run: ${{ !contains(fromJson('["admin", "maintain", "write"]'), fromJson(steps.get_permissions.outputs.data).permission) }}" | |
| echo "should_run=${{ !contains(fromJson('["admin", "maintain", "write"]'), fromJson(steps.get_permissions.outputs.data).permission) && github.event.pull_request.user.login != 'dependabot[bot]' }}" >> $GITHUB_OUTPUT | |
| - name: Check for engineering system changes | |
| if: ${{ steps.engineering_systems_check.outputs.engineering_systems_modified == 'true' && steps.bot_field_exception.outputs.allowed != 'true' && steps.control.outputs.should_run == 'true' }} | |
| run: | | |
| echo "Changes to .github/workflows/, build/ folder files, or package.json files aren't allowed in PRs." | |
| exit 1 |