name: Validate pull request rules on: pull_request: permissions: contents: read pull-requests: read jobs: validate-main-source-branch: name: Require staging or maintenance as source branch for main runs-on: ubuntu-latest if: github.base_ref == 'main' steps: - name: Validate source branch shell: bash env: HEAD_REF: ${{ github.head_ref }} run: | set -euo pipefail if [ "${HEAD_REF}" != "staging" ] && [ "${HEAD_REF}" != "maintenance" ]; then echo "::error::Pull requests into main must come from staging or maintenance. Current source branch: ${HEAD_REF}" exit 1 fi validate-staging-source-branch: name: Require development or maintenance as source branch for staging runs-on: ubuntu-latest if: github.base_ref == 'staging' steps: - name: Validate source branch shell: bash env: HEAD_REF: ${{ github.head_ref }} run: | set -euo pipefail if [ "${HEAD_REF}" != "development" ] && [ "${HEAD_REF}" != "maintenance" ]; then echo "::error::Pull requests into staging must come from development or maintenance. Current source branch: ${HEAD_REF}" exit 1 fi protect-package-lock: name: Block package-lock.json outside maintenance runs-on: ubuntu-latest if: github.base_ref != 'maintenance' steps: - name: Check out repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd with: fetch-depth: 0 persist-credentials: false - name: Fail if package-lock.json changed outside maintenance shell: bash env: BASE_SHA: ${{ github.event.pull_request.base.sha }} HEAD_SHA: ${{ github.event.pull_request.head.sha }} BASE_REF: ${{ github.base_ref }} run: | set -euo pipefail changed_files=$(git diff --name-only "${BASE_SHA}...${HEAD_SHA}") if echo "${changed_files}" | grep -Fxq "package-lock.json"; then echo "::error file=package-lock.json::package-lock.json may only be changed in PRs targeting maintenance. Current target branch: ${BASE_REF}" exit 1 fi