fix: suppress progress bar around Remove-Item in PowerShell scripts #3
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Protect Sync Integrity | |
| # This workflow runs on the PUBLIC repository | |
| # It detects and reverts commits that didn't come via git subtree from private repo | |
| on: | |
| push: | |
| branches: | |
| - master | |
| - develop | |
| jobs: | |
| check-commit-source: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: write # Needed to revert commits | |
| issues: write # Needed to create issue alerts | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 # Full history needed | |
| - name: Check if commit came from subtree | |
| id: check | |
| run: | | |
| # Get the latest commit message and metadata | |
| COMMIT_MSG=$(git log -1 --pretty=%B HEAD) | |
| COMMIT_AUTHOR=$(git log -1 --pretty=%an HEAD) | |
| COMMIT_EMAIL=$(git log -1 --pretty=%ae HEAD) | |
| COMMIT_SHA=$(git rev-parse HEAD) | |
| echo "Commit: $COMMIT_SHA" | |
| echo "Author: $COMMIT_AUTHOR <$COMMIT_EMAIL>" | |
| echo "Message: $COMMIT_MSG" | |
| # ALLOW LIST: Authorized committer email from GitHub Secret | |
| AUTHORIZED_EMAIL="${{ secrets.AUTHORIZED_COMMITTER_EMAIL }}" | |
| # Check if email matches authorized email | |
| AUTHORIZED=false | |
| if [[ "$COMMIT_EMAIL" == "$AUTHORIZED_EMAIL" ]]; then | |
| AUTHORIZED=true | |
| echo "Authorized committer: $COMMIT_EMAIL" | |
| fi | |
| # Method 1: Check for authorization marker (from private repo sync) | |
| if echo "$COMMIT_MSG" | grep -q "\[sync-from-private\]"; then | |
| echo "AUTHORIZED=true" >> $GITHUB_OUTPUT | |
| echo "Commit has authorization marker from private repo" | |
| exit 0 | |
| fi | |
| # Method 2: Check if authorized committer | |
| if [ "$AUTHORIZED" = true ]; then | |
| echo "AUTHORIZED=true" >> $GITHUB_OUTPUT | |
| echo "Commit from authorized committer" | |
| exit 0 | |
| fi | |
| # Method 3: Commits via GitHub web UI by unauthorized users | |
| if [[ "$COMMIT_EMAIL" == *"@users.noreply.github.com"* ]] && [ "$AUTHORIZED" = false ]; then | |
| echo "UNAUTHORIZED=true" >> $GITHUB_OUTPUT | |
| echo "Unauthorized web UI commit" | |
| exit 0 | |
| fi | |
| # If none of the above, mark as suspicious | |
| echo "SUSPICIOUS=true" >> $GITHUB_OUTPUT | |
| - name: Revert unauthorized commit | |
| if: steps.check.outputs.UNAUTHORIZED == 'true' | |
| run: | | |
| git config user.name "github-actions[bot]" | |
| git config user.email "github-actions[bot]@users.noreply.github.com" | |
| COMMIT_SHA=$(git rev-parse HEAD) | |
| # Revert the commit | |
| git revert --no-edit HEAD | |
| git push origin ${{ github.ref_name }} | |
| echo "REVERTED_SHA=$COMMIT_SHA" >> $GITHUB_ENV | |
| - name: Create alert issue | |
| if: steps.check.outputs.UNAUTHORIZED == 'true' || steps.check.outputs.SUSPICIOUS == 'true' | |
| uses: actions/github-script@v7 | |
| with: | |
| script: | | |
| const commitSha = '${{ env.REVERTED_SHA || github.sha }}'; | |
| const branch = '${{ github.ref_name }}'; | |
| const wasReverted = '${{ steps.check.outputs.UNAUTHORIZED }}' === 'true'; | |
| await github.rest.issues.create({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| title: `⚠️ ${wasReverted ? 'Reverted' : 'Suspicious'} Unauthorized Commit to ${branch}`, | |
| body: `## Sync Integrity Alert | |
| ${wasReverted ? '### ✅ Automatically Reverted' : '### ⚠️ Suspicious Activity Detected'} | |
| **Branch:** \`${branch}\` | |
| **Commit:** \`${commitSha}\` | |
| **Actor:** @${{ github.actor }} | |
| ${wasReverted ? | |
| 'This commit was automatically reverted because it did not come from the authorized sync process.' : | |
| 'This commit may not have come from the authorized sync process. Please review.'} | |
| ## What Happened? | |
| This public repository should only receive commits via \`git subtree push\` from the private repository. | |
| Direct commits to this repository cause divergent histories and break the sync workflow. | |
| ## Correct Workflow | |
| 1. Make changes in the private repo | |
| 2. Commit normally in the private repo | |
| 3. CI automatically syncs to this public repo | |
| ## If This Was a Community PR | |
| - Do not merge PRs via GitHub web interface | |
| - PRs are automatically forwarded to the internal review system`, | |
| labels: ['sync-integrity', 'automated-alert'] | |
| }); | |
| - name: Notify via commit status | |
| if: steps.check.outputs.SUSPICIOUS == 'true' | |
| uses: actions/github-script@v7 | |
| with: | |
| script: | | |
| await github.rest.repos.createCommitStatus({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| sha: context.sha, | |
| state: 'failure', | |
| context: 'Sync Integrity Check', | |
| description: 'This commit may not be from authorized sync', | |
| target_url: `https://github.com/${context.repo.owner}/${context.repo.repo}/blob/develop/CONTRIBUTING.md` | |
| }); |