PalisadoesFoundation · nilanjan-sikdar · Feb 8, 2026 · Feb 8, 2026 · Feb 9, 2026 · Feb 9, 2026
@@ -0,0 +1,57 @@
+.flake8$
+.pydocstyle$
+pyproject.toml$
+.env..*$
+vitest.config.js$
+src/App.tsx$
+^.github/.*
+^.husky/.*
+^scripts/.*
+^src/style/.*
+schema.graphql$
+package.json$
+package-lock.json$
+tsconfig.json$
+^.gitignore$
+^env.example$
+.node-version$
+.eslintrc.json$
+.eslintignore$
+.prettierrc$
+.prettierignore$
+vite.config.ts$
+^docker/docker-compose.prod.yaml$
+^docker/docker-compose.dev.yaml$
+^docker/Dockerfile.dev$
+^docker/Dockerfile.prod$
+^config/docker/setup/nginx.conf$
+^config/docker/setup/nginx.prod.conf$
+CODEOWNERS$
+LICENSE$
+setup.ts$
+.coderabbit.yaml$
+CODE_OF_CONDUCT.md$
+CODE_STYLE.md$
+CONTRIBUTING.md$
+DOCUMENTATION.md$
+INSTALLATION.md$
+ISSUE_GUIDELINES.md$
+PR_GUIDELINES.md$
+README.md$
+index.html$
+.*.pem$
+.*.key$
+.*.cert$
+.*.password$
+.*.secret$
+.*.credentials$
+.nojekyll$
+yarn.lock$
+knip.json$
+knip.deps.json$
+^docs/docusaurus.config.ts$
+^docs/sidebar..*
+CNAME$
+\.md$
+\.txt$
+\.TXT$
@@ -83,6 +83,13 @@ jobs:
         with:
           fetch-depth: 0 # Fetch all history for all branches and tags
 
+      - name: Checkout centralized CI/CD scripts
+        uses: actions/checkout@v4
+        with:
+          repository: PalisadoesFoundation/.github
+          ref: main
+          path: .github-central
+
       - name: Get PR labels
         id: check-labels
         env:
@@ -102,101 +109,34 @@ jobs:
             echo "skip=false" >> $GITHUB_OUTPUT
           fi
 
+      - name: Set up Python
+        if: steps.check-labels.outputs.skip != 'true'
+        uses: actions/setup-python@v5
+        with:
+          python-version: 3.11
+
       - name: Get Changed Unauthorized files
         if: steps.check-labels.outputs.skip != 'true'
         id: changed-unauth-files
         run: |
-
           # Skip if not in PR context
           if [ -z "${{ github.event.pull_request.base.sha }}" ]; then
-            echo "any_changed=false" >> $GITHUB_OUTPUT
             exit 0
           fi
 
           # Determine base and head commits for comparison
           HEAD_SHA="${{ github.event.pull_request.head.sha || github.sha }}"
           BASE_SHA=$(git merge-base "${{ github.event.pull_request.base.sha }}" "$HEAD_SHA")
 
-          # Define sensitive files patterns as a bash array
-          SENSITIVE_PATTERNS=(
-           ".github/"
-            "package.json"
-            "sidebar.js$"
-            "docusaurus.config.js"
-            "babel.config.js"
-            "CODEOWNERS"
-            "LICENSE" 
-            ".md"
-            "package-lock.json"
-            "tsconfig.json"
-            "pnpm.lock"
-            "static/.nojekyll"
-            ".gitignore"
-            ".prettierignore"
-            ".prettierrc"
-            '^.husky/.*'
-            '^scripts/.*'
-            'tsconfig.json$'
-            '.eslintrc.json$'
-            '.eslintignore$'
-            'CODEOWNERS$'
-            'LICENSE$'
-            '.coderabbit.yaml$'
-            'CODE_OF_CONDUCT.md$'
-            'CODE_STYLE.md$'
-            'CONTRIBUTING.md$'
-            'DOCUMENTATION.md$'
-            'INSTALLATION.md$'
-            'ISSUE_GUIDELINES.md$'
-            'PR_GUIDELINES.md$'
-            'README.md$'
-            '.*.pem$'
-            '.*.key$'
-            '.*.cert$'
-            '.*.password$'
-            '.*.secret$'
-            '.*.credentials$'
-            '.nojekyll$'
-            'knip.json$'
-            'knip.deps.json$'
-            'CNAME$'
-          )
+          # Get all changed files between base and head
+          mapfile -d '' ALL_CHANGED_FILES < <(git diff --name-only -z --diff-filter=ACMR "$BASE_SHA" "$HEAD_SHA")
 
-          # Check for changes in sensitive files
-          CHANGED_UNAUTH_FILES=""
-          for pattern in "${SENSITIVE_PATTERNS[@]}"; do
-            FILES=$(git diff --name-only --diff-filter=ACMRD "$BASE_SHA" "$HEAD_SHA" | grep -E "$pattern" || true)
-            if [ ! -z "$FILES" ]; then
-              CHANGED_UNAUTH_FILES="$CHANGED_UNAUTH_FILES $FILES"
-            fi
-          done
-
-          # Trim and format output
-          CHANGED_UNAUTH_FILES=$(echo "$CHANGED_UNAUTH_FILES" | xargs)
-          echo "all_changed_files=$CHANGED_UNAUTH_FILES" >> $GITHUB_OUTPUT
-
-          # Check if any unauthorized files changed
-          if [ ! -z "$CHANGED_UNAUTH_FILES" ]; then
-            echo "any_changed=true" >> $GITHUB_OUTPUT
-          else
-            echo "any_changed=false" >> $GITHUB_OUTPUT
+          # Check for sensitive files using the python script
+          if [ ${#ALL_CHANGED_FILES[@]} -gt 0 ]; then
+             chmod +x .github-central/.github/workflows/scripts/sensitive_file_check.py
+             .github-central/.github/workflows/scripts/sensitive_file_check.py --config .github/workflows/config/sensitive_files.txt --files "${ALL_CHANGED_FILES[@]}"
           fi
 
-      - name: List all changed unauthorized files
-        if: steps.changed-unauth-files.outputs.any_changed == 'true'
-        env:
-          CHANGED_UNAUTH_FILES: ${{ steps.changed-unauth-files.outputs.all_changed_files }}
-        run: |
-          echo "::error::Unauthorized changes detected in sensitive files:"
-          echo ""
-          for file in $CHANGED_UNAUTH_FILES; do
-            echo "- $file"
-          done
-          echo ""
-          echo "To override:"
-          echo "Add the 'ignore-sensitive-files-pr' label to this PR."
-          exit 1
-
   Count-Changed-Files:
     if: ${{ github.actor != 'dependabot[bot]' }}
     name: Checks if number of files changed is acceptable