chore: close external PRs that touch blacklisted files (#166)

basvandijk · web-flow · commit 46f06b833d9b · 2025-10-20T14:02:53.000+02:00
Instead of just commenting on external PRs that touch blacklisted files this commit causes them to be closed as well. We intend to use this in dfinity/ic to automatically close PRs by non-DFINITY contributors that touch files under `.github`. See: dfinity/ic#7307. This also changes the definition of an "external" PR from any PR created by a non-DFINITY member to any PR created from a fork. The latter is easier to determine because we don't need to query the GitHub API. Also note that the set of PRs created from forks includes the set of PRs created by non-DFINITY members since non-DFINITY members can create PRs from source repos since they're not allowed to push there. Finally this commit simplifies the `reusable_workflows/repo_policies/check_external_changes.py` Python code by not fetching the `.github/repo_policies/EXTERNAL_CONTRIB_BLACKLIST` file from within the script but using the `actions/checkout` action instead. Tested here: dfinity/test-compliant-repository-public#72 (comment).
diff --git a/.github/workflows/internal_vs_external.yml b/.github/workflows/internal_vs_external.yml
@@ -11,15 +11,10 @@ permissions:
   pull-requests: write
 
 jobs:
-  check-membership:
-    uses: dfinity/public-workflows/.github/workflows/check_membership.yml@main
-    secrets: inherit
-
   revoke-approvals:
     name: Check Revoke Approvals
     runs-on: ubuntu-latest
-    needs: check-membership
-    if: ${{ needs.check-membership.outputs.is_member != 'true' && needs.check-membership.result == 'success' }}
+    if: github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name != github.repository
     steps:
       - name: Dismiss Pull Request Reviews
         if: ${{ ! github.event.pull_request_target.draft }}
@@ -54,52 +49,61 @@ jobs:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} # actor is github actions with above permissions
           GH_ORG: ${{ github.repository_owner }}
           REPO: ${{ github.event.repository.name }}
-          PULL_NUMBER: ${{ github.event.pull_request.number }}          
+          PULL_NUMBER: ${{ github.event.pull_request.number }}
 
   check-external-file-changes:
     name: Check Unallowed File Changes
     runs-on: ubuntu-latest
-    needs: check-membership
-    if: ${{ needs.check-membership.outputs.is_member != 'true' && needs.check-membership.result == 'success' }}
+    if: github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name != github.repository
     steps:
-        # First check out code from public-workflows
-      - name: Checkout
-        uses: actions/checkout@v4
+      - name: Checkout EXTERNAL_CONTRIB_BLACKLIST from ${{ github.repository }}
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
-          repository: dfinity/public-workflows
-          path: public-workflows
+          path: repo
+          # actions/checkout will checkout the target repo and default branch by default
+          # when triggered by pull_request_target. However for security reasons we want to
+          # be explicit here.
+          repository: ${{ github.repository }}
+          ref: ${{ github.event.repository.default_branch }}
+          sparse-checkout: .github/repo_policies/EXTERNAL_CONTRIB_BLACKLIST
 
-      - name: Python Setup
-        uses: ./public-workflows/.github/workflows/python-setup
+      - name: Checkout check_external_changes.py from dfinity/public-workflows
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
-          working-directory: public-workflows
+          repository: dfinity/public-workflows
+          path: public-workflows
+          sparse-checkout: reusable_workflows/repo_policies/check_external_changes.py
 
       - name: Get changed files
-        id: changed-files
         uses: tj-actions/changed-files@ed68ef82c095e0d48ec87eccea555d944a631a4c # v46.0.5
         with:
-          use_rest_api: 'true'
+          use_rest_api: true
+          json: true
+          write_output_files: true
 
       - name: Check External Changes
-        id:  check-external-changes
-        run: |
-          export PYTHONPATH="$PWD/public-workflows/reusable_workflows/"
-          python public-workflows/reusable_workflows/repo_policies/check_external_changes.py
-        shell: bash
+        if: ${{ hashFiles('repo/.github/repo_policies/EXTERNAL_CONTRIB_BLACKLIST') != '' }}
+        id: check_external_changes
+        run: public-workflows/reusable_workflows/repo_policies/check_external_changes.py
         env:
-          CHANGED_FILES: ${{ steps.changed-files.outputs.all_changed_files }}
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} # no actual token stored, read-only permissions
-          ORG: ${{ github.repository_owner }}
-          REPO: ${{ github.event.repository.name }}
+          # populated by the action
+          # https://github.com/tj-actions/changed-files/blob/d03a93c0dbfac6d6dd6a0d8a5e7daff992b07449/README.md?plain=1#L569-L572
+          CHANGED_FILES_JSON_PATH: ".github/outputs/all_changed_and_modified_files.json"
+          EXTERNAL_CONTRIB_BLACKLIST_PATH: "repo/.github/repo_policies/EXTERNAL_CONTRIB_BLACKLIST"
 
-      - name: Add PR Comment
+      - name: Close PR
         uses: actions/github-script@v7
-        if: ${{ failure() }}
+        if: ${{ !cancelled() && steps.check_external_changes.conclusion == 'failure' }}
         with:
           script: |
-            let message = "Changes made to unallowed files. "
+            github.rest.pulls.update({
+              pull_number: context.issue.number,
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              state: 'closed'
+            })
+            let message = "Closed Pull Request since changes were made to [unallowed files](${{ github.server_url }}/${{ github.repository }}/blob/${{ github.event.repository.default_branch }}/.github/repo_policies/EXTERNAL_CONTRIB_BLACKLIST).\n\n"
             message += 'Please see details here: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}\n\n'
-
             github.rest.issues.createComment({
               issue_number: context.issue.number,
               owner: context.repo.owner,
diff --git a/reusable_workflows/repo_policies/check_external_changes.py b/reusable_workflows/repo_policies/check_external_changes.py
@@ -1,65 +1,39 @@
+#!/usr/bin/env python3
 import fnmatch
+import json
+import os
 import sys
+from pathlib import Path
 
-import github3
 
-from shared.utils import download_gh_file, load_env_vars
+def main():
+    EXTERNAL_CONTRIB_BLACKLIST_PATH = os.environ['EXTERNAL_CONTRIB_BLACKLIST_PATH']
 
-EXTERNAL_CONTRIB_BLACKLIST_PATH = ".github/repo_policies/EXTERNAL_CONTRIB_BLACKLIST"
+    blacklisted_patterns = [
+        pattern for line in Path(EXTERNAL_CONTRIB_BLACKLIST_PATH).read_text().splitlines()
+        if (pattern := line.split("#")[0].strip()) != ""
+    ]
 
+    with open(os.environ['CHANGED_FILES_JSON_PATH'], 'r') as f:
+        changed_files = json.load(f)
 
-def get_blacklisted_files(repo: github3.github.repo) -> list[str]:
-    """
-    Loads the config from the repository that contains the list of blacklisted files.
-    """
-    try:
-        config_file = download_gh_file(repo, EXTERNAL_CONTRIB_BLACKLIST_PATH)
-    except github3.exceptions.NotFoundError:
-        return []
-    blacklisted_files = [
-        line for line in config_file.splitlines() if line.strip() and not line.strip().startswith("#")
-    ]
-    return blacklisted_files
+    print(f"Changed files: {changed_files}")
+    print(f"Blacklisted patterns: {blacklisted_patterns}")
 
+    if blacklisted_patterns == []:
+        print("No blacklisted patterns found.")
+        sys.exit(0)
 
-def check_files_against_blacklist(changed_files: list, blacklist_files: list) -> None:
-    """
-    Check if any changed files match the blacklist rules using glob pattern matching.
-    """
-    violations = []
-    for file in changed_files:
-        for rule in blacklist_files:
-            if fnmatch.fnmatch(file, rule):  # Use glob pattern matching
-                violations.append(file)
+    violations = [
+        file for pattern in blacklisted_patterns for file in changed_files
+        if fnmatch.fnmatch(file, pattern)
+    ]
 
     if len(violations) > 0:
         print(f"No changes allowed to files: {violations}")
         sys.exit(1)
 
-    else:
-        print("All changed files pass conditions.")
-
-
-def main():
-    # Environment variables
-    REQUIRED_ENV_VARS = ["REPO", "CHANGED_FILES", "ORG", "GH_TOKEN"]
-    env_vars = load_env_vars(REQUIRED_ENV_VARS)
-    
-    gh = github3.login(token=env_vars["GH_TOKEN"])
-    repo = gh.repository(owner=env_vars["ORG"], repository=env_vars["REPO"])
-
-    # Get changed files
-    changed_files = env_vars["CHANGED_FILES"].split()
-    print(f"Changed files: {changed_files}")
-
-    blacklist_files = get_blacklisted_files(repo)
-
-    if blacklist_files == []:
-        print("No blacklisted files found found.")
-        sys.exit(0)
-
-    # Check changed files against blacklist
-    check_files_against_blacklist(changed_files, blacklist_files)
+    print("All changed files pass conditions.")
 
 
 if __name__ == "__main__":
diff --git a/reusable_workflows/tests/test_external_changes.py b/reusable_workflows/tests/test_external_changes.py
