File tree Expand file tree Collapse file tree
Expand file tree Collapse file tree Original file line number Diff line number Diff line change 1+ name : Release PR Guard
2+
3+ # Generated release PRs are tree-replaced from prod 'next' (promoted staging
4+ # content). They must NEVER modify prod-owned machinery: a diff touching these
5+ # paths means staging content leaked through the promote's restore step (as
6+ # happened with bin/check-release-environment on 2026-07-03/04). Passes
7+ # trivially for human PRs, which may legitimately edit workflows.
8+
9+ on :
10+ pull_request :
11+ branches : [main]
12+
13+ permissions :
14+ contents : read
15+
16+ jobs :
17+ protected-paths :
18+ name : protected-paths
19+ runs-on : ubuntu-latest
20+ steps :
21+ - uses : actions/checkout@v4
22+ with :
23+ fetch-depth : 0
24+ - name : Block prod-owned changes in generated release PRs
25+ env :
26+ HEAD_REF : ${{ github.head_ref }}
27+ BASE_REF : ${{ github.base_ref }}
28+ run : |
29+ if [[ "$HEAD_REF" != release-please--* ]]; then
30+ echo "Not a generated release PR; nothing to guard."
31+ exit 0
32+ fi
33+ changed=$(git diff --name-only "origin/$BASE_REF"...HEAD)
34+ bad=$(printf '%s\n' "$changed" | grep -E '^(\.github/|bin/|release-please-config\.json)' | grep -v '^\.github/workflows/create-releases\.yml$' || true)
35+ if [ -n "$bad" ]; then
36+ echo "::error::Generated release PR modifies prod-owned machinery (staging leak through promote?):"
37+ printf '%s\n' "$bad"
38+ exit 1
39+ fi
40+ echo "No prod-owned paths touched."
You can’t perform that action at this time.
0 commit comments