Skip to content

ci: add code-freeze check to block non-sync-bot PRs#122

Open
simonfaltum wants to merge 1 commit into
mainfrom
simonfaltum/code-freeze
Open

ci: add code-freeze check to block non-sync-bot PRs#122
simonfaltum wants to merge 1 commit into
mainfrom
simonfaltum/code-freeze

Conversation

@simonfaltum

@simonfaltum simonfaltum commented Jun 4, 2026

Copy link
Copy Markdown
Member

Summary

This repository is becoming a read-only mirror, synced one-way by the internal databricks-ci-ghec-1 / databricks-ci-ghec-2 GitHub Apps. This adds a code-freeze workflow that fails any pull request not authored by those sync bots, so direct contributions are rejected.

Before: anyone with write access can open and merge PRs.
Now: every non-bot PR gets a red code-freeze check; the two sync apps pass.

How it works

  • Runs on pull_request and merge_group (so it reports green to the merge queue and never stalls it).
  • Allows databricks-ci-ghec-1[bot] and databricks-ci-ghec-2[bot]; fails everyone else with a "read-only mirror" message.
  • permissions: {} (no token scopes needed); it only reads the PR author from the event.

Enforcement (follow-up)

The workflow only produces a check result. It hard-blocks merges only once code-freeze is added as a required status check on the main ruleset. Both sync apps are already bypass actors on that ruleset, so their syncs are unaffected. Repo admins also retain bypass.

Note: this PR's own code-freeze check will fail (the author is not a sync bot). That is expected. The check is not required yet, so it stays advisory until the ruleset is updated.

Documentation safety checklist

  • Examples use least-privilege permissions (no unnecessary ALL PRIVILEGES, admin tokens, or broad scopes)
  • Elevated permissions are explicitly called out where required
  • Sensitive values are obfuscated (placeholder workspace IDs, URLs, no real tokens)
  • No insecure patterns introduced (e.g. disabled TLS verification, hardcoded credentials)

This pull request and its description were written by Isaac.

@simonfaltum
ci: add code-freeze check to block non-sync-bot PRs
b650eb6 
This repo is becoming a read-only mirror fed one-way by the databricks-ci-ghec GitHub Apps. The code-freeze workflow fails any PR not authored by databricks-ci-ghec-1[bot] or databricks-ci-ghec-2[bot], and passes for the sync bots.

It only hard-blocks once added as a required status check on the main ruleset; both sync apps are already bypass actors there, so their syncs are unaffected.

Co-authored-by: Isaac
Signed-off-by: simon <simon.faltum@databricks.com>
@simonfaltum simonfaltum requested review from a team and lennartkats-db as code owners June 4, 2026 13:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lennartkats-db lennartkats-db Awaiting requested review from lennartkats-db lennartkats-db is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@simonfaltum