Merge pull request #2488 from dotnet/gewarren-patch-1

Fail instead of comment for live base branch
dotnet · Jan 29, 2025 · 0b1d02b · 0b1d02b
2 parents 7e0fd23 + eb26734
commit 0b1d02b
Showing 1 changed file with 11 additions and 11 deletions.
diff --git a/.github/workflows/live-protection.yml b/.github/workflows/live-protection.yml
@@ -1,9 +1,14 @@
-name: Protect live branch
-on: [pull_request_target]
+name: Base branch checker
+on: [pull_request]
+
+permissions:
+  contents: read
 
 jobs:
-  comment:
+  live_protection_job:
+    name: Check base branch
     runs-on: ubuntu-latest
+
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4
@@ -12,14 +17,9 @@ jobs:
 
       - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea
         env:
-          SHOULD_COMMENT: ${{ github.base_ref == 'refs/heads/live' && !(github.event.issue.user.login == 'cxwtool' || github.head_ref == 'refs/heads/main') }}
+          LIVE_BASE: ${{ github.base_ref == 'live' && github.head_ref != 'main' }}
         with:
           script: |
-            if (process.env.SHOULD_COMMENT == 'true') {
-              github.issues.createComment({
-                issue_number: context.issue.number,
-                owner: context.repo.owner,
-                repo: context.repo.repo,
-                body: 'It looks like this pull request may have been opened on the `live` branch by mistake. In general, PRs should target the `main` branch.'
-              })
+            if (process.env.LIVE_BASE == 'true') {
+              core.setFailed('PR targets live branch')
             }