From b86a04cef9f1e1b82cf18e49fc94e017c641130c Mon Sep 17 00:00:00 2001
From: Micaiah Martin <77340197+mimartin12@users.noreply.github.com>
Date: Wed, 10 Aug 2022 18:19:52 +0000
Subject: [PATCH] [DEVOPS-862] Add protections around SQL migration
 modification changes (#2177)

---
 .github/workflows/enforce-labels.yml |  6 +--
 .github/workflows/protect-files.yml  | 59 ++++++++++++++++++++++++++++
 2 files changed, 62 insertions(+), 3 deletions(-)
 create mode 100644 .github/workflows/protect-files.yml

diff --git a/.github/workflows/enforce-labels.yml b/.github/workflows/enforce-labels.yml
index 0a63c70e4..2f448866b 100644
--- a/.github/workflows/enforce-labels.yml
+++ b/.github/workflows/enforce-labels.yml
@@ -10,7 +10,7 @@ jobs:
     runs-on: ubuntu-20.04
     steps:
       - name: Enforce Label
-        uses: yogevbd/enforce-label-action@8d1e1709b1011e6d90400a0e6cf7c0b77aa5efeb
+        uses: yogevbd/enforce-label-action@a3c219da6b8fa73f6ba62b68ff09c469b3a1c024
         with:
-          BANNED_LABELS: "hold"
-          BANNED_LABELS_DESCRIPTION: "PRs on hold cannot be merged"
+          BANNED_LABELS: "hold, DB migrations changed"
+          BANNED_LABELS_DESCRIPTION: "PRs with ${bannedLabel.name} label cannot be merged"
diff --git a/.github/workflows/protect-files.yml b/.github/workflows/protect-files.yml
new file mode 100644
index 000000000..4e0a739a8
--- /dev/null
+++ b/.github/workflows/protect-files.yml
@@ -0,0 +1,59 @@
+# Runs if there are changes to the paths: list.
+# Starts a matrix job to check for modified files, then sets output based on the results.
+# The input decides if the label job is ran, adding a label to the PR.
+---
+
+name: Protect Files
+
+on:
+  pull_request:
+    types: 
+      - opened
+      - synchronize
+    paths: 
+      - "util/Migrator/DbScripts"
+
+jobs:
+  changed-files:
+    name: Check for file changes
+    runs-on: ubuntu-20.04
+    outputs:
+      changes: steps.check-changes.outputs.changes_detected
+
+    strategy:
+      fail-fast: true
+      matrix:
+        include:
+          - name: Database Scripts
+            path: util/Migrator/DbScripts
+            label: "DB migrations changed"
+    steps:
+      - name: Checkout PR
+        uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
+        with:
+          fetch-depth: 0
+
+      - name: Check for file changes
+        id: check-changes
+        run: |
+          MODIFIED_FILES=$(git diff --name-only --diff-filter=M ${GITHUB_BASE_REF})
+
+          for file in $MODIFIED_FILES; do
+            if [[ $file == *"${{ matrix.path }}"*]]; then
+              echo "::set-output name=changes_detected::'true'"
+              break
+            else echo "::set-output name=changes_detected::'false'"
+            fi
+          done
+
+  label-pr:
+    name: Add label to pull request
+    runs-on: ubuntu-20.04
+    needs: 
+      - changed-files
+    if: contains(needs.changed-files.outputs.changes, "true") || job.changed-files.status == "failure"
+    steps:
+      - name: Label PR
+        uses: andymckay/labeler@e6c4322d0397f3240f0e7e30a33b5c5df2d39e90
+        with:
+          add-labels: ${{ matrix.label }}