Skip to content

Commit d2089a8

Browse files
authored
ci: guard release PRs against prod-owned machinery changes (#65)
1 parent da8cf61 commit d2089a8

1 file changed

Lines changed: 40 additions & 0 deletions

File tree

Lines changed: 40 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,40 @@
1+
name: Release PR Guard
2+
3+
# Generated release PRs are tree-replaced from prod 'next' (promoted staging
4+
# content). They must NEVER modify prod-owned machinery: a diff touching these
5+
# paths means staging content leaked through the promote's restore step (as
6+
# happened with bin/check-release-environment on 2026-07-03/04). Passes
7+
# trivially for human PRs, which may legitimately edit workflows.
8+
9+
on:
10+
pull_request:
11+
branches: [main]
12+
13+
permissions:
14+
contents: read
15+
16+
jobs:
17+
protected-paths:
18+
name: protected-paths
19+
runs-on: ubuntu-latest
20+
steps:
21+
- uses: actions/checkout@v4
22+
with:
23+
fetch-depth: 0
24+
- name: Block prod-owned changes in generated release PRs
25+
env:
26+
HEAD_REF: ${{ github.head_ref }}
27+
BASE_REF: ${{ github.base_ref }}
28+
run: |
29+
if [[ "$HEAD_REF" != release-please--* ]]; then
30+
echo "Not a generated release PR; nothing to guard."
31+
exit 0
32+
fi
33+
changed=$(git diff --name-only "origin/$BASE_REF"...HEAD)
34+
bad=$(printf '%s\n' "$changed" | grep -E '^(\.github/|bin/|release-please-config\.json)' | grep -v '^\.github/workflows/create-releases\.yml$' || true)
35+
if [ -n "$bad" ]; then
36+
echo "::error::Generated release PR modifies prod-owned machinery (staging leak through promote?):"
37+
printf '%s\n' "$bad"
38+
exit 1
39+
fi
40+
echo "No prod-owned paths touched."

0 commit comments

Comments
 (0)