Overview

File 0176-forbid-non-maintainers-from-committing-beam-files.patch of Package erlang

From 958838f2e745c80dfc5f2026ba6661ea9aee58e7 Mon Sep 17 00:00:00 2001
From: Kiko Fernandez-Reyes <kiko@erlang.org>
Date: Thu, 15 Jan 2026 10:18:17 +0100
Subject: [PATCH 1/2] forbid non-maintainers from committing beam files

this job checks whether the pull request has modified beam files. if it
does, then we check that only maintainers can commit beam files. the
action will fail if a non-maintainer adds beam files.

this action happens as the first step in the pipeline, so there will be
no build of Erlang/OTP if the job fails.
---
 .github/workflows/main.yaml | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)

diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml
index 3930cb82e8..86ce5d1537 100644
--- a/.github/workflows/main.yaml
+++ b/.github/workflows/main.yaml
@@ -59,9 +59,37 @@ permissions:
 
 jobs:
 
+  check-beam:
+    name: Forbid non-maintainers from committing BEAM files
+    runs-on: ubuntu-latest
+    if: github.repository == 'erlang/otp' && github.event_name == 'pull_request'
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # ratchet:actions/checkout@v4.2.2
+        with:
+          fetch-depth: 0
+
+      - name: Detect modified BEAM files
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          PR_AUTHOR: ${{ github.event.pull_request.user.login }}
+        run: |
+          PERMISSION=$(gh api \
+                       -H "Accept: application/vnd.github+json" \
+                       -H "X-GitHub-Api-Version: 2022-11-28" \
+                       /repos/{owner}/{repo}/collaborators/$PR_AUTHOR/permission --jq '.role_name')
+
+          MODIFIED_BEAM_FILES=$(git diff --name-only ${{github.event.pull_request.base.sha}} \
+                                                     ${{ github.event.pull_request.head.sha }} | grep '\.beam$' || true)
+          if [[ "$PERMISSION" != "admin" && "$PERMISSION" != "maintain" && "$PERMISSION" != "Security Master" && -n "$MODIFIED_BEAM_FILES" ]]; then
+             echo "::error::Workflow failer: Only maintainers can make modifications to '*.beam' files:"
+             echo "$MODIFIED_BEAM_FILES"
+             exit 1
+          fi
+
   pack:
     name: Build Erlang/OTP (64-bit)
     runs-on: ubuntu-latest
+    needs: check-beam
     if: github.repository == 'erlang/otp' || github.event_name != 'scheduled'
     outputs:
         changes: ${{ steps.changes.outputs.changes }}
-- 
2.51.0
openSUSE Build Service is sponsored by
Places