name: GitHub - No Commits on GitHub Web
on:
  pull_request_target:
    types:
      - opened
      - reopened
      # The "synchronize" type may not be used because code review commits,
      # from GitHub UI might be acceptable. Enable this if you want to block
      # all commits from GitHub UI.
      #
      # - synchronize

jobs:
  has-web-commits:
    runs-on: ubuntu-24.04
    steps:
      - name: Check if PR author is allow-listed
        id: pr_author
        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}
          script: |
            const prAuthor = context.payload.pull_request.user.login;
            const allowedTeams = ['moderators', 'staff'];
            let isAllowListed = prAuthor === 'renovate[bot]';
            if (!isAllowListed) {
              for (const team of allowedTeams) {
                const response = await github.rest.teams
                  .getMembershipForUserInOrg({
                    org: context.repo.owner,
                    team_slug: team,
                    username: prAuthor
                  })
                  .catch(() => ({ status: 404 }));
                if (response.status === 200) {
                  isAllowListed = true;
                  break;
                }
              }
            }
            core.setOutput('is_allow_listed', isAllowListed);

      - name: Check if commits are made on GitHub Web UI
        id: check-commits
        if: steps.pr_author.outputs.is_allow_listed == 'false'
        run: |
          PR_NUMBER=$(jq --raw-output .pull_request.number "$GITHUB_EVENT_PATH")
          COMMITS_URL="https://api.github.com/repos/$GITHUB_REPOSITORY/pulls/$PR_NUMBER/commits"
          IS_GITHUB_COMMIT=$(curl --header "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" "$COMMITS_URL" | jq '[.[] | select(.commit.committer.name == "GitHub") | select(.commit.message | test("revert"; "i") | not)] | length > 0')
          if [ "$IS_GITHUB_COMMIT" = "true" ]; then
            echo "IS_GITHUB_COMMIT=true" >> $GITHUB_ENV
          fi

      - name: Add comment on PR if commits are made on GitHub Web UI
        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
        if: steps.pr_author.outputs.is_allow_listed == 'false' && env.IS_GITHUB_COMMIT == 'true'
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}
          script: |
            core.setFailed("Commits were added via the GitHub Web UI.");
            github.rest.issues.createComment({
              issue_number: context.issue.number,
              owner: context.repo.owner,
              repo: context.repo.repo,
              body: "Thanks for your pull request.\n\n**Please do not add commits via the GitHub Web UI.**\n\nIt generally means you have yet to test these changes in a development setup or complete any prerequisites. We need you to follow the guides mentioned in the checklist. Please revalidate these changes in a developer environment and confirm how you validated your changes.\n\nHappy contributing!\n\n---\n_**Note:** This message was automatically generated by a bot. If you feel this message is in error or would like help resolving it, feel free to reach us [in our contributor chat](https://discord.gg/PRyKn3Vbay)._"
            });