Skip to content
Guard Dependencies

➖ Drop support for Python 3.8 #1

Sign in to view logs

➖ Drop support for Python 3.8

➖ Drop support for Python 3.8 #1

Workflow file for this run

.github/workflows/guard-dependencies.yml at 1835b01
name: Guard Dependencies
on:
pull_request_target: # zizmor: ignore[dangerous-triggers] -- This workflow only reads context.payload metadata, never checks out PR code
branches: [main]
paths:
- pyproject.toml
- uv.lock
permissions:
contents: read
issues: write
pull-requests: write
jobs:
check-author:
runs-on: ubuntu-latest
steps:
- name: Check if author is org member or allowed bot
uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
with:
script: |
const pr = context.payload.pull_request;
const author = pr.user.login;
const assoc = pr.author_association;
const botAllowlist = new Set(['dependabot[bot]']);
const orgAuthorAssociations = new Set(['MEMBER', 'OWNER']);
const allowed =
botAllowlist.has(author) ||
(assoc != null && orgAuthorAssociations.has(assoc));
if (!allowed) {
await github.rest.issues.createComment({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: context.payload.pull_request.number,
body: `This PR modifies dependency files (\`pyproject.toml\` or \`uv.lock\`), which is restricted to members of the **${context.repo.owner}** organization on GitHub.\n\nIf you need a dependency change, please [open a discussion](https://github.com/${context.repo.owner}/${context.repo.repo}/discussions/new) describing what you need and why.\n\nClosing this PR automatically.`
});
await github.rest.pulls.update({
owner: context.repo.owner,
repo: context.repo.repo,
pull_number: context.payload.pull_request.number,
state: 'closed'
});
core.setFailed('Dependency changes are restricted to organization members.');
} else {
console.log(`Author ${author} (author_association=${assoc}) is allowed to make dependency changes.`);
}