From aa4d44a5ca3e5fcf0cbba6c319559247f810afc7 Mon Sep 17 00:00:00 2001 From: ankitTelnyx Date: Mon, 6 Jul 2026 16:25:37 +0100 Subject: [PATCH] ci: guard release PRs against prod-owned machinery changes --- .github/workflows/release-pr-guard.yml | 40 ++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) create mode 100644 .github/workflows/release-pr-guard.yml diff --git a/.github/workflows/release-pr-guard.yml b/.github/workflows/release-pr-guard.yml new file mode 100644 index 00000000..68c3cc54 --- /dev/null +++ b/.github/workflows/release-pr-guard.yml @@ -0,0 +1,40 @@ +name: Release PR Guard + +# Generated release PRs are tree-replaced from prod 'next' (promoted staging +# content). They must NEVER modify prod-owned machinery: a diff touching these +# paths means staging content leaked through the promote's restore step (as +# happened with bin/check-release-environment on 2026-07-03/04). Passes +# trivially for human PRs, which may legitimately edit workflows. + +on: + pull_request: + branches: [master] + +permissions: + contents: read + +jobs: + protected-paths: + name: protected-paths + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 0 + - name: Block prod-owned changes in generated release PRs + env: + HEAD_REF: ${{ github.head_ref }} + BASE_REF: ${{ github.base_ref }} + run: | + if [[ "$HEAD_REF" != release-please--* ]]; then + echo "Not a generated release PR; nothing to guard." + exit 0 + fi + changed=$(git diff --name-only "origin/$BASE_REF"...HEAD) + bad=$(printf '%s\n' "$changed" | grep -E '^(\.github/|bin/|release-please-config\.json)' | grep -v '^\.github/workflows/create-releases\.yml$' || true) + if [ -n "$bad" ]; then + echo "::error::Generated release PR modifies prod-owned machinery (staging leak through promote?):" + printf '%s\n' "$bad" + exit 1 + fi + echo "No prod-owned paths touched."