name: New Authors Check # pull_request_target runs with base-repo permissions (including write) even # for fork PRs, allowing us to post a comment directly without the artifact # hand-off to a second workflow_run workflow. # # Only git history is read here. Avoid checking out fork PR files in the # pull_request_target trust context; the job checks out the trusted base ref and # fetches the PR head ref only for git-log inspection. on: pull_request_target: permissions: contents: read pull-requests: write concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number }} cancel-in-progress: true jobs: check-id: name: New Author Check runs-on: ubuntu-latest steps: - name: Checkout trusted base branch uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 with: fetch-depth: 0 persist-credentials: false - run: sudo apt -y install git - name: Fetch PR head for history inspection env: PR_NUMBER: ${{ github.event.pull_request.number }} run: | git fetch --no-tags --no-recurse-submodules origin \ "+refs/pull/${PR_NUMBER}/head:refs/remotes/pull-request/head" - name: Export known authors from main branch run: git log --format="%an <%ae>" origin/main | sort | uniq > authors.txt - name: Export authors from new commits env: BASE_SHA: ${{ github.event.pull_request.base.sha }} run: git log --format="%an <%ae>" "${BASE_SHA}..refs/remotes/pull-request/head" | sort | uniq > commit-authors.txt - name: Check new authors run: | touch new-authors.txt while read -r author; do echo "Checking author: ${author}" if ! grep -qFx "${author}" authors.txt; then echo "ERROR: ${author} NOT FOUND" echo "::warning ::New author found: ${author}" echo "${author}" >> new-authors.txt echo has_new_authors="yes" >> $GITHUB_ENV fi done < commit-authors.txt - name: Comment on PR if: ${{ env.has_new_authors == 'yes' }} uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | let msg = 'NOTE: This PR may contain new authors.'; await github.rest.issues.createComment({ owner: context.repo.owner, repo: context.repo.repo, issue_number: context.issue.number, body: msg });