ci: High risk file changes as PR comment (#3554)

Remove the no changes in high-risk file script and hashes, and replace
it by adding a GH PR comment.

Author: philipphofmann

.github/file-filters.yml

@@ -0,0 +1,12 @@
+# This is used by the action https://github.com/dorny/paths-filter (which we have forked to https://github.com/getsentry/paths-filter)
+
+high_risk_code: &high_risk_code
+  - 'Sources/Sentry/SentryNSURLSessionTaskSearch.m'
+  - 'Sources/Sentry/SentryNetworkTracker.m'
+  - 'Sources/Sentry/SentryUIViewControllerSwizzling.m'
+  - 'Sources/Sentry/SentryNSDataSwizzling.m'
+  - 'Sources/Sentry/SentrySubClassFinder.m'
+  - 'Sources/Sentry/SentryCoreDataSwizzling.m'
+  - 'Sources/Sentry/SentrySwizzleWrapper.m'
+  - 'Sources/Sentry/include/SentrySwizzle.h'
+  - 'Sources/Sentry/SentrySwizzle.m'

.github/workflows/changes-in-high-risk-code.yml

@@ -0,0 +1,51 @@
+name: Changes In High Risk Code
+on:
+  pull_request:
+
+# https://docs.github.com/en/actions/using-jobs/using-concurrency#example-using-a-fallback-value
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  files-changed:
+    name: Detect changed files
+    runs-on: ubuntu-latest
+    # Map a step output to a job output
+    outputs:
+      high_risk_code: ${{ steps.changes.outputs.high_risk_code }}
+      high_risk_code_files: ${{ steps.changes.outputs.high_risk_code_files }}
+    steps:
+      - uses: actions/checkout@v4
+      - name: Get changed files
+        id: changes
+        uses: getsentry/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.11.1
+        with:
+          token: ${{ github.token }}
+          filters: .github/file-filters.yml
+
+          # Enable listing of files matching each filter.
+          # Paths to files will be available in `${FILTER_NAME}_files` output variable.
+          list-files: csv
+
+  validate-high-risk-code:
+    if: needs.files-changed.outputs.high_risk_code == 'true'
+    needs: files-changed
+    runs-on: ubuntu-latest
+    steps:
+      - name: Comment on PR to notify of changes in high risk files
+        uses: actions/github-script@v7
+        env:
+          high_risk_code: ${{ needs.files-changed.outputs.high_risk_code_files }}
+        with:
+          script: |
+            const highRiskFiles = process.env.high_risk_code;
+            const fileList = highRiskFiles.split(',').map(file => `- [ ] ${file}`).join('\n');
+            github.rest.issues.createComment({
+              issue_number: context.issue.number,
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              body: `### 🚨 Detected changes in high risk code 🚨 \n High-risk code can easily blow up and is hard to test. We had severe bugs in the past. Be extra careful when changing these files, and have an extra careful look at these:\n ${fileList}`
+            })
+            
+        

.github/workflows/lint.yml

@@ -10,7 +10,6 @@ on:
       - 'Samples/**'
       - '.github/workflows/lint.yml'
       - 'scripts/ci-select-xcode.sh'
-      - 'scripts/no-changes-in-high-risk-files.sh'
 
   pull_request:
     paths:
@@ -20,7 +19,6 @@ on:
       - 'Samples/**'
       - '.github/workflows/lint.yml'
       - 'scripts/ci-select-xcode.sh'
-      - 'scripts/no-changes-in-high-risk-files.sh'
       - 'Sentry.xcodeproj/**'
       - '*.podspec'
 
@@ -74,10 +72,3 @@ jobs:
       - run: pod repo update
       - name: Validate HybridPod Podspec
         run: pod lib lint ./Tests/HybridSDKTest/HybridPod.podspec --allow-warnings --verbose --platforms=ios "--include-podspecs={SentryPrivate.podspec,Sentry.podspec}"
-
-  validate-high-risk-files:
-    name: No changes in high risk files
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      - run: ./scripts/no-changes-in-high-risk-files.sh

.pre-commit-config.yaml

@@ -45,11 +45,3 @@ repos:
         types_or: ["swift", "objective-c", "objective-c++", "c", "c++" ]
         args:
           - "lint"
-
-      - id: no-changes-in-high-risk-files
-        name: No Changes in High Risk Files
-        entry: make
-        language: system
-        types_or: ["swift","objective-c", "objective-c++", "c", "c++"]
-        args:
-          - "no-changes-in-high-risk-files"

Makefile

@@ -18,10 +18,6 @@ lint:
 	swiftlint --strict
 .PHONY: lint
 
-no-changes-in-high-risk-files:
-	@echo "--> Checking if there are changes in high risk files"
-	./scripts/no-changes-in-high-risk-files.sh
-
 format: format-clang format-swift
 
 # Format ObjC, ObjC++, C, and C++