This GitHub Action helps protect specific files in your repository from being modified by external contributors.
- Add a file named
.lockedFilesto the root of your repository. - List the file paths you want to protect inside
.lockedFiles.
src/secure/config.yml
secrets.json- Any pull request that modifies these files will be blocked automatically.
To allow a pull request that modifies locked files to go through anyway, add the label:
BYPASS_LABEL
- This label will bypass the Merge-Monitor check.
- Go to the Releases page of this repository.
- Download the latest release ZIP file.
- Extract the contents into your own repository.
.github/
├── actions/
│ └── check-sensitive-files/
│ ├── Dockerfile # Builds the environment for the action
│ ├── action.yml # Defines what the action does and how it runs
│ └── check.py # The script that performs the file check
└── workflows/
└── pr-check.yml # The workflow that triggers the action on every PR
.lockedFiles # List of files that should not be modified
⚠️ This step is already configured in the ZIP release.
But in case it doesn't work or you want to set it up manually
Create a file at .github/workflows/locked-files.yml with the following content:
name: 'PR Check: Sensitive Files'
on:
pull_request_target:
types: [opened, synchronize, reopened]
permissions:
pull-requests: write
issues: write
jobs:
check-sensitive-files:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v3
- name: Run Check Sensitive Files Action
uses: ./.github/actions/check-sensitive-files
with:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
PR_NUMBER: ${{ github.event.pull_request.number }}
BYPASS_LABEL: ${{ secrets.BYPASS_LABEL }}List the files you want to protect, one per line.
Feel free to open issues and pull requests