Skip to content

pr.yaml: write protected config files as UTF-8 without BOM #152

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Chris-Wolfgang merged 3 commits into from
May 12, 2026
Merged

pr.yaml: write protected config files as UTF-8 without BOM #152

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
6527bd7
pr.yaml: write protected config files as UTF-8 without BOM
Chris-Wolfgang May 9, 2026
a047f7f
Dedupe Stage 2 fetch-trusted-config step and add Dependabot guard
Chris-Wolfgang May 12, 2026
9edaddc
Merge branch 'main' into fix/pr-yaml-bom-encoding-on-protected-config…
Chris-Wolfgang May 12, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
50 changes: 3 additions & 47 deletions .github/workflows/pr.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -616,51 +616,7 @@ jobs:

- name: Fetch trusted configuration files from main branch
shell: pwsh
run: |
Write-Host "Fetching configuration files from main branch to prevent malicious overrides..."

# Fetch the main branch
git fetch origin main:main-branch

# List of configuration files that should come from trusted main branch
$configFiles = @(
".editorconfig",
"Directory.Build.props",
"Directory.Build.targets",
"BannedSymbols.txt"
)

# Copy each configuration file from main branch if it exists
foreach ($configFile in $configFiles) {
# Check if file exists in main branch
$exists = git cat-file -e "main-branch:$configFile" 2>&1
if ($LASTEXITCODE -eq 0) {
Write-Host " ✓ Copying $configFile from main branch"
git show "main-branch:$configFile" | Out-File -FilePath $configFile -Encoding UTF8 -NoNewline
} else {
Write-Host " ℹ️ $configFile not found in main branch, skipping"
}
}

# Handle glob patterns for .globalconfig, .ruleset, and workflow files
$globPatterns = @("*.globalconfig", "*.ruleset", ".github/workflows/*.yml", ".github/workflows/*.yaml")
foreach ($pattern in $globPatterns) {
$files = git ls-tree -r --name-only main-branch | Select-String -Pattern $pattern.Replace("*", ".*")
foreach ($file in $files) {
if ($file) {
Write-Host " ✓ Copying $file from main branch"
$dir = Split-Path -Parent $file
if ($dir) { New-Item -ItemType Directory -Force -Path $dir | Out-Null }
git show "main-branch:$file" | Out-File -FilePath $file -Encoding UTF8 -NoNewline
}
}
}

Write-Host ""
Write-Host "✅ Configuration files secured - using versions from main branch"

- name: Fetch trusted configuration files from main branch
shell: pwsh
if: github.event.pull_request.user.login != 'dependabot[bot]'
run: |
Write-Host "Fetching configuration files from main branch to prevent malicious overrides..."

Expand All @@ -681,7 +637,7 @@ jobs:
$exists = git cat-file -e "main-branch:$configFile" 2>&1
if ($LASTEXITCODE -eq 0) {
Write-Host " ✓ Copying $configFile from main branch"
git show "main-branch:$configFile" | Out-File -FilePath $configFile -Encoding UTF8 -NoNewline
git show "main-branch:$configFile" | Out-File -FilePath $configFile -Encoding UTF8NoBOM -NoNewline
} else {
Write-Host " ℹ️ $configFile not found in main branch, skipping"
}
Expand All @@ -696,7 +652,7 @@ jobs:
Write-Host " ✓ Copying $file from main branch"
$dir = Split-Path -Parent $file
if ($dir) { New-Item -ItemType Directory -Force -Path $dir | Out-Null }
git show "main-branch:$file" | Out-File -FilePath $file -Encoding UTF8 -NoNewline
git show "main-branch:$file" | Out-File -FilePath $file -Encoding UTF8NoBOM -NoNewline
}
}
}
Expand Down
Loading