odex25_standard/.github/workflows/restrict-pr-authors.yaml

name: Restrict PR Authors & Committers

permissions:
  contents: read
  pull-requests: write

on:
  pull_request:
    types: [opened, reopened, synchronize]
    branches:
      - dev_odex-event
      - dev_odex25_accounting
      - dev_odex25_base
      - dev_odex25_dms
      - dev_odex25_fleet
      - dev_odex25_hr
      - dev_odex25_inventory
      - dev_odex25_maintenance
      - dev_odex25_mobile
      - dev_odex25_pos
      - dev_odex25_project
      - dev_odex25_purchase
      - dev_odex25_realstate
      - dev_odex25_sales
      - dev_odex25_survey
      - dev_odex25_transactions
      - dev_odex25_website
      - dev_openeducat_erp-14.0.1.0
      - dev_odex25_ensan
      - dev_odex25_helpdesk
      - dev_odex25_donation

jobs:
  check_pr_author:
    runs-on: linting_odex25-standard-modules_runner

    steps:
      - name: Validate PR Author & Commit Authors
        uses: actions/github-script@v7
        with:
          github-token: ${{ secrets.GH_TOKEN }}
          script: |
            const allowed = [
              "expsa",
              "moutazmuhammad",
              "ronozoro",
              "Abubaker-Altaib",
              "altexp",
              "the5abir",
              "ahmadaking",
              "kchyounes19",
              "abdurrahman-saber"
            ];

            const pr = context.payload.pull_request;
            const prAuthor = pr.user.login;
            const owner = context.repo.owner;
            const repo = context.repo.repo;

            core.info(`PR author: ${prAuthor}`);

            // Check PR author
            if (!allowed.includes(prAuthor)) {
              core.error(`Unauthorized PR author: ${prAuthor}. Closing PR...`);
              await github.rest.pulls.update({
                owner,
                repo,
                pull_number: pr.number,
                state: "closed"
              });
              return;
            }

            // Check commit authors
            const commitList = await github.rest.pulls.listCommits({
              owner,
              repo,
              pull_number: pr.number
            });

            for (const commit of commitList.data) {
              const commitAuthor = commit.author ? commit.author.login : null;

              if (commitAuthor && !allowed.includes(commitAuthor)) {
                core.error(`Unauthorized commit author: ${commitAuthor}. Closing PR...`);

                await github.rest.pulls.update({
                  owner,
                  repo,
                  pull_number: pr.number,
                  state: "closed"
                });

                return;
              }
            }

            core.info("All PR authors and committers are allowed.");