name: Restrict PR Authors & Committers permissions: contents: read pull-requests: write on: pull_request: types: [opened, reopened, synchronize] branches: - dev_odex-event - dev_odex25_accounting - dev_odex25_base - dev_odex25_dms - dev_odex25_fleet - dev_odex25_hr - dev_odex25_inventory - dev_odex25_maintenance - dev_odex25_mobile - dev_odex25_pos - dev_odex25_project - dev_odex25_purchase - dev_odex25_realstate - dev_odex25_sales - dev_odex25_survey - dev_odex25_transactions - dev_odex25_website - dev_openeducat_erp-14.0.1.0 - dev_odex25_ensan - dev_odex25_helpdesk - dev_odex25_donation - preprod_odex-event - preprod_odex25_accounting - preprod_odex25_base - preprod_odex25_dms - preprod_odex25_fleet - preprod_odex25_helpdesk - preprod_odex25_hr - preprod_odex25_inventory - preprod_odex25_maintenance - preprod_odex25_mobile - preprod_odex25_pos - preprod_odex25_project - preprod_odex25_purchase - preprod_odex25_realstate - preprod_odex25_sales - preprod_odex25_survey - preprod_odex25_transactions - preprod_odex25_website - preprod_openeducat_erp-14.0.1.0 - preprod_odex25_ensan - preprod_odex25_donation - master_odex-event - master_odex25_accounting - master_odex25_base - master_odex25_dms - master_odex25_fleet - master_odex25_helpdesk - master_odex25_hr - master_odex25_inventory - master_odex25_maintenance - master_odex25_mobile - master_odex25_pos - master_odex25_project - master_odex25_purchase - master_odex25_realstate - master_odex25_sales - master_odex25_survey - master_odex25_transactions - master_odex25_website - master_openeducat_erp-14.0.1.0 - master_odex25_ensan - master_odex25_donation jobs: validate: runs-on: linting_odex25-standard-modules_runner steps: - name: Validate PR Author & Commit Authors uses: actions/github-script@v7 with: github-token: ${{ secrets.PR_CLOSE_TOKEN }} script: | const allowed = [ "expsa", "ronozoro", "Abubaker-Altaib", "altexp", "the5abir", "ahmadaking", "kchyounes19", "abdurrahman-saber" ]; const pr = context.payload.pull_request; const prAuthor = pr.user.login; const owner = context.repo.owner; const repo = context.repo.repo; core.info(`PR author: ${prAuthor}`); // Check PR author if (!allowed.includes(prAuthor)) { core.error(`Unauthorized PR author: ${prAuthor}. Closing PR...`); await github.rest.pulls.update({ owner, repo, pull_number: pr.number, state: "closed" }); return; } // Check commit authors const commitList = await github.rest.pulls.listCommits({ owner, repo, pull_number: pr.number }); for (const commit of commitList.data) { const commitAuthor = commit.author ? commit.author.login : null; if (commitAuthor && !allowed.includes(commitAuthor)) { core.error(`Unauthorized commit author: ${commitAuthor}. Closing PR...`); await github.rest.pulls.update({ owner, repo, pull_number: pr.number, state: "closed" }); return; } } core.info("All PR authors and committers are allowed.");