Support for Contributions of Agentic Workflows #1
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Block Forbidden Workflow Contribution Files | |
| on: | |
| pull_request: | |
| branches: [staged] | |
| types: [opened, synchronize, reopened] | |
| paths: | |
| - "workflows/**" | |
| permissions: | |
| contents: read | |
| pull-requests: write | |
| jobs: | |
| check-forbidden-files: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Check for forbidden files in workflows/ | |
| id: check | |
| run: | | |
| # Check for YAML/lock files in workflows/ and any .github/ modifications | |
| forbidden=$(git diff --name-only --diff-filter=ACM origin/${{ github.base_ref }}...HEAD -- \ | |
| 'workflows/**/*.yml' \ | |
| 'workflows/**/*.yaml' \ | |
| 'workflows/**/*.lock.yml' \ | |
| '.github/*' \ | |
| '.github/**') | |
| if [ -n "$forbidden" ]; then | |
| echo "❌ Forbidden files detected:" | |
| echo "$forbidden" | |
| echo "files<<EOF" >> "$GITHUB_OUTPUT" | |
| echo "$forbidden" >> "$GITHUB_OUTPUT" | |
| echo "EOF" >> "$GITHUB_OUTPUT" | |
| exit 1 | |
| else | |
| echo "✅ No forbidden files found in workflows/" | |
| fi | |
| - name: Comment on PR | |
| if: failure() | |
| uses: marocchino/sticky-pull-request-comment@v2 | |
| with: | |
| header: workflow-forbidden-files | |
| message: | | |
| ## 🚫 Forbidden files in `workflows/` | |
| Only `.md` markdown files are accepted in the `workflows/` directory. The following are **not allowed**: | |
| - Compiled workflow files (`.yml`, `.yaml`, `.lock.yml`) — could contain untrusted Actions code | |
| - `.github/` modifications — workflow contributions must not modify repository configuration | |
| **Files that must be removed:** | |
| ``` | |
| ${{ steps.check.outputs.files }} | |
| ``` | |
| Contributors provide the workflow **source** (`.md`) only. Compilation happens downstream via `gh aw compile`. | |
| Please remove these files and push again. |