gitlab-ci: restrict checkupdates to only modifying metadata/*.yml

2026-05-08 07:06:52 +00:00 · 2024-10-24 22:44:33 +02:00 · 2024-10-24 22:44:33 +02:00 · 08098facd0
commit 08098facd0
parent f79f171344
1 changed files with 15 additions and 0 deletions
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@ -478,3 +478,18 @@ check_git_repos:
    - test -d public || mkdir public
    - cp `git status | grep -Eo 'metadata/.*\.yml'` public/ || true
    - exit $EXITVALUE
+
+
+# checkupdates should only be allowed to modify app metadata files,
+# e.g. metadata/*.yml.  Anything else should throw an error here.
+checkupdates_filter:
+  image: debian:bookworm-slim
+  stage: test
+  rules:
+    - if: $CI_PROJECT_PATH == 'fdroid/checkupdates-bot-fdroiddata'
+  script:
+    - apt-get update
+    - apt-get -qy install --no-install-recommends git
+    - git fetch https://gitlab.com/fdroid/fdroiddata.git
+    - echo "Checking for modifications to restricted paths:"
+    - ! (git diff --merge-base FETCH_HEAD HEAD --name-only | grep -v '^metadata/\S*\.yml$')