From 08098facd047ab26c0e85b083fb687a0aa355905 Mon Sep 17 00:00:00 2001
From: Hans-Christoph Steiner <hans@eds.org>
Date: Thu, 24 Oct 2024 22:44:33 +0200
Subject: [PATCH] gitlab-ci: restrict checkupdates to only modifying
 metadata/*.yml

---
 .gitlab-ci.yml | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 3737fb8244..3f10eba543 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -478,3 +478,18 @@ check_git_repos:
     - test -d public || mkdir public
     - cp `git status | grep -Eo 'metadata/.*\.yml'` public/ || true
     - exit $EXITVALUE
+
+
+# checkupdates should only be allowed to modify app metadata files,
+# e.g. metadata/*.yml.  Anything else should throw an error here.
+checkupdates_filter:
+  image: debian:bookworm-slim
+  stage: test
+  rules:
+    - if: $CI_PROJECT_PATH == 'fdroid/checkupdates-bot-fdroiddata'
+  script:
+    - apt-get update
+    - apt-get -qy install --no-install-recommends git
+    - git fetch https://gitlab.com/fdroid/fdroiddata.git
+    - echo "Checking for modifications to restricted paths:"
+    - ! (git diff --merge-base FETCH_HEAD HEAD --name-only | grep -v '^metadata/\S*\.yml$')