ExtensionShield/.github/workflows/guardrails.yml at master · CodeBySayak/ExtensionShield · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
# OSS guardrails: fail if private/sensitive paths are ever tracked.
# Prevents accidental leakage as the repo grows.
name: OSS guardrails

on:
  push:
    branches: [main, master]
  pull_request:
    branches: [main, master]

jobs:
  no-private-paths:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Fail if private paths are tracked
        run: |
          # docs/ is intentionally tracked (GET_STARTED, CONTRIBUTING, etc.). Do not block it.
          PATTERNS='^\.env$|\.db$|extensions_storage/|contracts/|freelancer|\.railway|\.(pem|p12|pfx|key)$'
          TRACKED=$(git ls-files | grep -E "$PATTERNS" || true)
          if [ -n "$TRACKED" ]; then
            echo "::error::The following private/sensitive paths must not be tracked. Add them to .gitignore and run 'git rm -r --cached <path>'."
            echo "$TRACKED"
            exit 1
          fi
          echo "No private paths are tracked."