From 49c1368a0b29774986ccc9e14291da89c2805564 Mon Sep 17 00:00:00 2001
From: Aaron Berdy <berdy@amazon.com>
Date: Tue, 21 Nov 2023 13:36:12 -0800
Subject: [PATCH] infra: code freeze (#164)

---
 .github/workflows/code-freeze.yml | 39 +++++++++++++++++++++++++++++++
 .github/workflows/twine-check.yml |  5 ++++
 2 files changed, 44 insertions(+)
 create mode 100644 .github/workflows/code-freeze.yml

diff --git a/.github/workflows/code-freeze.yml b/.github/workflows/code-freeze.yml
new file mode 100644
index 00000000..5aff0abc
--- /dev/null
+++ b/.github/workflows/code-freeze.yml
@@ -0,0 +1,39 @@
+name: Code Freeze
+
+on:
+  pull_request:
+    branches:
+      - main
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+env:
+  FROZEN: ${{ vars.FROZEN }}
+  UNFROZEN_PREFIX: ${{ vars.UNFROZEN_PREFIX }}
+
+jobs:
+  check-pr-frozen-status:
+    runs-on: ubuntu-latest
+    steps:
+    - name: Fetch PR data and check if merge allowed
+      if: env.FROZEN == 'true'
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      run: |
+        PR_DATA=$(curl -s \
+          -H "Authorization: Bearer $GITHUB_TOKEN" \
+          -H "Accept: application/vnd.github.v3+json" \
+          https://api.github.com/repos/${{ github.repository }}/pulls/${{ github.event.pull_request.number }})
+        BRANCH_NAME=$(echo $PR_DATA | jq .head.ref -r)
+        PR_TITLE=$(echo $PR_DATA | jq .title -r)
+
+        echo $BRANCH_NAME
+        echo $PR_TITLE
+
+        if [[ "$BRANCH_NAME" != $UNFROZEN_PREFIX* ]] && 
+           [[ "$PR_TITLE" != fix:* && "$PR_TITLE" != *"[critical]"* ]]; then
+          echo "Error: You can only merge from branches that start with '$UNFROZEN_PREFIX', or PRs titled with 'fix: ' and containing '[critical]'."
+          exit 1
+        fi
diff --git a/.github/workflows/twine-check.yml b/.github/workflows/twine-check.yml
index a6035204..1b87e48b 100644
--- a/.github/workflows/twine-check.yml
+++ b/.github/workflows/twine-check.yml
@@ -6,6 +6,9 @@ on:
       - main
       - feature/**
 
+permissions:
+  contents: read
+
 jobs:
   twine-check:
     name: Check long description
@@ -20,6 +23,8 @@ jobs:
         run: python -m pip install --user --upgrade wheel
       - name: Install twine
         run: python -m pip install --user --upgrade twine
+      - name: Install setuptools
+        run: python -m pip install --user --upgrade setuptools
       - name: Build a binary wheel and a source tarball
         run: python setup.py sdist bdist_wheel
       - name: Check that long description will render correctly on PyPI.