name: static / check binaries on: pull_request: branches: [main] permissions: contents: read jobs: check-config-files: runs-on: ubuntu-latest permissions: contents: read steps: - name: Checkout uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 with: persist-credentials: false - name: Check build config allowlist run: bash .github/scripts/check-config-allowlist.sh check-binaries: runs-on: ubuntu-latest permissions: contents: read steps: - name: Checkout uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 with: fetch-depth: 0 persist-credentials: false - name: Check for binary and build artifacts env: BASE_REF: ${{ github.event.pull_request.base.ref }} run: | VIOLATIONS=0 # Get list of added/modified files in the PR CHANGED_FILES=$(git diff --name-only "origin/${BASE_REF}...HEAD") if [ -z "$CHANGED_FILES" ]; then echo "No changed files detected." exit 0 fi # Check for binary file extensions BINARY_FILES=$(echo "$CHANGED_FILES" | grep -iE '\.(exe|dll|so|dylib|o|obj|a|lib|wasm)$' || true) if [ -n "$BINARY_FILES" ]; then echo "::error::Binary files detected in PR:" echo "$BINARY_FILES" VIOLATIONS=1 fi # Check for build directories BUILD_FILES=$(echo "$CHANGED_FILES" | grep -E '/build/' || true) if [ -n "$BUILD_FILES" ]; then echo "::error::Files in build directories detected in PR:" echo "$BUILD_FILES" VIOLATIONS=1 fi # Check for dSYM directories DSYM_FILES=$(echo "$CHANGED_FILES" | grep -E '\.dSYM/' || true) if [ -n "$DSYM_FILES" ]; then echo "::error::dSYM debug symbol directories detected in PR:" echo "$DSYM_FILES" VIOLATIONS=1 fi # Check for large files (>1MB) among changed files # Exclude known large files: lockfiles, assets, bundled actions LARGE_FILES="" while IFS= read -r file; do if [ -f "$file" ]; then case "$file" in pnpm-lock.yaml|*/pnpm-lock.yaml|*/package-lock.json|*/poetry.lock) continue ;; assets/*|examples/*/preview.gif|examples/*/assets/*) continue ;; .github/actions/*/dist/*) continue ;; showcase/shell/src/data/*|showcase/shell-docs/src/data/*|showcase/shell-dojo/src/data/demo-content.json) continue ;; esac SIZE=$(wc -c < "$file" | tr -d ' ') if [ "$SIZE" -gt 1048576 ]; then LARGE_FILES="${LARGE_FILES}${file} ($(( SIZE / 1024 )) KB)\n" fi fi done <<< "$CHANGED_FILES" if [ -n "$LARGE_FILES" ]; then echo "::error::Files over 1 MB detected in PR:" echo -e "$LARGE_FILES" VIOLATIONS=1 fi if [ "$VIOLATIONS" -eq 1 ]; then echo "" echo "This PR contains binary artifacts, build outputs, or oversized files." echo "Please remove them and update your .gitignore if needed." exit 1 fi echo "No binary artifacts or oversized files detected."