flowthru/.github/workflows/pr-author-check.yml at main · chaoticgoodcomputing/flowthru · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
name: PR Author Check

on:
  pull_request:
    types: [opened, synchronize, reopened]

jobs:
  validate-authors:
    runs-on: ubuntu-latest
    permissions:
      pull-requests: read
      contents: read

    steps:
      - name: Validate commit authors
        uses: actions/github-script@v7
        with:
          script: |
            const allowedBots = [
              'github-actions[bot]',
              'dependabot[bot]'
            ];

            // Fetch all commits in the PR
            const { data: commits } = await github.rest.pulls.listCommits({
              owner: context.repo.owner,
              repo: context.repo.repo,
              pull_number: context.issue.number,
            });

            const violations = [];

            for (const commit of commits) {
              const message = commit.commit.message;
              const sha = commit.sha.substring(0, 7);

              // Extract Co-authored-by lines
              const coAuthorRegex = /^Co-authored-by:\s*(.+?)\s*<(.+?)>/gim;
              let match;

              while ((match = coAuthorRegex.exec(message)) !== null) {
                const name = match[1].trim();
                const email = match[2].trim();

                // Check if this is a bot account
                if (name.endsWith('[bot]')) {
                  // Verify it's in the allowlist
                  if (!allowedBots.includes(name)) {
                    violations.push({
                      sha: sha,
                      name: name,
                      email: email
                    });
                  }
                }
                // Human accounts (no [bot] suffix) are always allowed
              }
            }

            if (violations.length > 0) {
              const errorReport = violations.map(v =>
                `  - Commit ${v.sha}: ${v.name} <${v.email}>`
              ).join('\n');

              core.setFailed(
                `❌ Unauthorized bot co-authors detected:\n\n${errorReport}\n\n` +
                `Only human accounts and the following bot accounts are permitted as co-authors:\n` +
                `  - ${allowedBots.join('\n  - ')}\n\n` +
                `Please remove unauthorized co-authors from your commits using:\n` +
                `  git rebase -i HEAD~<n>  # Edit commits\n` +
                `  git commit --amend      # Modify commit message\n` +
                `  git push --force        # Update PR`
              );
            } else {
              console.log('✅ All commit authors validated successfully');
            }