diff --git a/.github/workflows/update-dependency-reminder.yml b/.github/workflows/update-dependency-reminder.yml new file mode 100644 index 00000000000..456e0f5c18c --- /dev/null +++ b/.github/workflows/update-dependency-reminder.yml @@ -0,0 +1,48 @@ +name: Request Lockfile Review + +on: + pull_request_target: + branches: ["master"] + types: [opened, synchronize, reopened] + +jobs: + review-lockfiles: + runs-on: ubuntu-latest + permissions: + pull-requests: write + + steps: + # We intentionally do NOT use actions/checkout here. + # This keeps the environment completely secure and satisfies CodeQL. + + - name: Check files via GitHub API + id: check_files + uses: actions/github-script@v7 + with: + script: | + const prNumber = context.payload.pull_request.number; + + // Get the list of files in the PR directly from the API + const { data: files } = await github.rest.pulls.listFiles({ + owner: context.repo.owner, + repo: context.repo.repo, + pull_number: prNumber, + per_page: 100 + }); + + // Look for any file **ending** in gradle.lockfile + const hasLockfile = files.some(file => file.filename.endsWith('gradle.lockfile')); + core.setOutput('has_lockfile', hasLockfile ? 'true' : 'false'); + + - name: Post unresolved review comment + if: steps.check_files.outputs.has_lockfile == 'true' + uses: actions/github-script@v7 + with: + script: | + await github.rest.pulls.createReview({ + owner: context.repo.owner, + repo: context.repo.repo, + pull_number: context.payload.pull_request.number, + event: 'REQUEST_CHANGES', + body: `### ⚠️ Attention Required: Lockfile Detected\nThis pull request contains modifications to one or more \`*.lockfile\` files. Please confirm that you have run update_dependency.sh to push new dependencies to the private repo.\n\n_Someone with Admin role must manually dismiss this review before merging._` + });