diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index ca3d2866..0950cb38 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -9,13 +9,22 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - - name: Ensure .code is not tracked + - name: Ensure .code/ and .env are not tracked shell: bash run: | - tracked="$(git ls-files -- .code)" - if [ -n "$tracked" ]; then - echo "The .code/ directory must not be tracked." - echo "$tracked" + tracked_code="$(git ls-files -- .code)" + tracked_env="$(git ls-files -- .env)" + + if [ -n "$tracked_code" ] || [ -n "$tracked_env" ]; then + echo "Local-only policy and secrets files must not be tracked." + if [ -n "$tracked_code" ]; then + echo "Tracked .code/ entries:" + echo "$tracked_code" + fi + if [ -n "$tracked_env" ]; then + echo "Tracked .env entries:" + echo "$tracked_env" + fi exit 1 fi diff --git a/.github/workflows/pr-check.yml b/.github/workflows/pr-check.yml index 83d7ec31..7174b667 100644 --- a/.github/workflows/pr-check.yml +++ b/.github/workflows/pr-check.yml @@ -16,13 +16,22 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - - name: Ensure .code is not tracked + - name: Ensure .code/ and .env are not tracked shell: bash run: | - tracked="$(git ls-files -- .code)" - if [ -n "$tracked" ]; then - echo "The .code/ directory must not be tracked." - echo "$tracked" + tracked_code="$(git ls-files -- .code)" + tracked_env="$(git ls-files -- .env)" + + if [ -n "$tracked_code" ] || [ -n "$tracked_env" ]; then + echo "Local-only policy and secrets files must not be tracked." + if [ -n "$tracked_code" ]; then + echo "Tracked .code/ entries:" + echo "$tracked_code" + fi + if [ -n "$tracked_env" ]; then + echo "Tracked .env entries:" + echo "$tracked_env" + fi exit 1 fi