From 446048fba96bf41c203a1d6db9e72458d9848351 Mon Sep 17 00:00:00 2001
From: Keyrxng <106303466+Keyrxng@users.noreply.github.com>
Date: Fri, 27 Oct 2023 09:57:02 +0100
Subject: [PATCH] Create protect-the-fig.yml

---
 .github/workflows/protect-the-fig.yml | 90 +++++++++++++++++++++++++++
 1 file changed, 90 insertions(+)
 create mode 100644 .github/workflows/protect-the-fig.yml

diff --git a/.github/workflows/protect-the-fig.yml b/.github/workflows/protect-the-fig.yml
new file mode 100644
index 000000000..39405b2eb
--- /dev/null
+++ b/.github/workflows/protect-the-fig.yml
@@ -0,0 +1,90 @@
+name: Check for config changes
+
+on:
+  pull_request:
+    paths:
+      - '.github/ubiquibot-config.yml'
+  push:
+    paths:
+      - '.github/ubiquibot-config.yml'
+
+jobs:
+  permission_check:
+    runs-on: ubuntu-latest
+    outputs:
+      is_admin: ${{ steps.check_permissions.outputs.is_admin }}
+
+    steps:
+    - name: GraphQL Query
+      id: check_permissions
+      run: |
+        org_name="${{ github.repository_owner }}"
+
+        payload=$(jq -n \
+          --arg org_name "$org_name" \
+          --arg actor "${{ github.actor }}" \
+          '{
+            query: "query GetUserOrgRole($orgLogin: String!, $userLogin: String!) {
+              user(login: $userLogin) {
+                organization(login: $orgLogin) {
+                  membersWithRole(first: 100) {
+                    edges {
+                      node {
+                        login
+                      }
+                      role
+                    }
+                  }
+                }
+              }
+            }",
+            variables: {
+              orgLogin: $org_name,
+              userLogin: $actor
+            }
+          }'
+        )
+        
+        response=$(curl -s -H "Authorization: token ${{ secrets.GIT_TOKEN }}" -X POST -d "$payload" https://api.github.com/graphql)
+        user_role=$(echo "$response" | jq -r --arg actor "${{ github.actor }}" '.data.user.organization.membersWithRole.edges[] | select(.node.login == $actor) | .role')
+       
+        if [[ "$user_role" == "ADMIN" ]]; then
+            echo "::set-output name=is_admin::true"
+        else
+            echo "::set-output name=is_admin::false"
+        fi
+
+  check_config_changes:
+    needs: permission_check
+    if: needs.permission_check.outputs.is_admin == 'false'
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v2
+      
+    - name: Install jq and yq
+      run: |
+        sudo apt-get -y install jq
+        sudo wget https://github.com/mikefarah/yq/releases/download/v4.6.0/yq_linux_amd64 -O /usr/bin/yq && sudo chmod +x /usr/bin/yq
+
+    - name: Check for changes in guarded properties
+      run: |
+        git fetch origin ${{ github.base_ref }}:${{ github.base_ref }}
+        git checkout ${{ github.base_ref }}
+        
+        # Convert the YAML to JSON with proper key quotes for jq
+        yq eval -j .github/ubiquibot-config.yml > base_config.json
+        git checkout ${{ github.sha }}
+        yq eval -j .github/ubiquibot-config.yml > current_config.json
+
+        # Guarded properties
+        guarded_props=("evmNetworkId" "priceMultiplier" "issueCreatorMultiplier" "paymentPermitMaxPrice" "assistivePricing" "commentIncentives" "incentives.comment.elements" "incentives.comment.totals.word" "enableAccessControl.label" "enableAccessControl.organization")
+
+        for prop in "${guarded_props[@]}"; do
+          base_value=$(jq -r ".${prop}" base_config.json)
+          current_value=$(jq -r ".${prop}" current_config.json)
+          if [[ "$base_value" != "$current_value" ]]; then
+            echo "Guarded property ${prop} has been modified!"
+            exit 1
+          fi
+        done